Create a system proxy change after receiving a network map

This is experimental and needs more test. the purpose of this change is to validate that a TLS connection stuck using old routes because of keepalive settings on the remote webserver are reset once netbird receives a network map
2026-04-02 07:33:52 -04:00 · 2026-02-01 10:23:25 +01:00 · 2026-02-01 10:21:51 +01:00
229 changed files with 1034 additions and 30386 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -2,7 +2,6 @@
 .run
 *.iml
 dist/
-!proxy/web/dist/
 bin/
 .env
 conf.json
--- a/README.md
+++ b/README.md
@@ -60,8 +60,8 @@

 https://github.com/user-attachments/assets/10cec749-bb56-4ab3-97af-4e38850108d2

-### Self-Host NetBird (Video)
-[![Watch the video](https://img.youtube.com/vi/bZAgpT6nzaQ/0.jpg)](https://youtu.be/bZAgpT6nzaQ)
+### NetBird on Lawrence Systems (Video)
+[![Watch the video](https://img.youtube.com/vi/Kwrff6h0rEw/0.jpg)](https://www.youtube.com/watch?v=Kwrff6h0rEw)

 ### Key features

--- a/client/embed/embed.go
+++ b/client/embed/embed.go
@@ -71,8 +71,6 @@ type Options struct {
 	DisableClientRoutes bool
 	// BlockInbound blocks all inbound connections from peers
 	BlockInbound bool
-	// WireguardPort is the port for the WireGuard interface. Use 0 for a random port.
-	WireguardPort *int
 }

 // validateCredentials checks that exactly one credential type is provided
@@ -142,7 +140,6 @@ func New(opts Options) (*Client, error) {
 		DisableServerRoutes: &t,
 		DisableClientRoutes: &opts.DisableClientRoutes,
 		BlockInbound:        &opts.BlockInbound,
-		WireguardPort:       opts.WireguardPort,
 	}
 	if opts.ConfigPath != "" {
 		config, err = profilemanager.UpdateOrCreateConfig(input)
@@ -162,7 +159,6 @@ func New(opts Options) (*Client, error) {
 		setupKey:   opts.SetupKey,
 		jwtToken:   opts.JWTToken,
 		config:     config,
-		recorder:   peer.NewRecorder(config.ManagementURL.String()),
 	}, nil
 }

@@ -184,7 +180,6 @@ func (c *Client) Start(startCtx context.Context) error {

 	// nolint:staticcheck
 	ctx = context.WithValue(ctx, system.DeviceNameCtxKey, c.deviceName)
-
 	authClient, err := auth.NewAuth(ctx, c.config.PrivateKey, c.config.ManagementURL, c.config)
 	if err != nil {
 		return fmt.Errorf("create auth client: %w", err)
@@ -194,7 +189,10 @@ func (c *Client) Start(startCtx context.Context) error {
 	if err, _ := authClient.Login(ctx, c.setupKey, c.jwtToken); err != nil {
 		return fmt.Errorf("login: %w", err)
 	}
-	client := internal.NewConnectClient(ctx, c.config, c.recorder, false)
+
+	recorder := peer.NewRecorder(c.config.ManagementURL.String())
+	c.recorder = recorder
+	client := internal.NewConnectClient(ctx, c.config, recorder, false)
 	client.SetSyncResponsePersistence(true)

 	// either startup error (permanent backoff err) or nil err (successful engine up)
@@ -347,9 +345,14 @@ func (c *Client) NewHTTPClient() *http.Client {
 // Status returns the current status of the client.
 func (c *Client) Status() (peer.FullStatus, error) {
 	c.mu.Lock()
+	recorder := c.recorder
 	connect := c.connect
 	c.mu.Unlock()

+	if recorder == nil {
+		return peer.FullStatus{}, errors.New("client not started")
+	}
+
 	if connect != nil {
 		engine := connect.Engine()
 		if engine != nil {
@@ -357,7 +360,7 @@ func (c *Client) Status() (peer.FullStatus, error) {
 		}
 	}

-	return c.recorder.GetFullStatus(), nil
+	return recorder.GetFullStatus(), nil
 }

 // GetLatestSyncResponse returns the latest sync response from the management server.
--- a/client/firewall/uspfilter/allow_netbird.go
+++ b/client/firewall/uspfilter/allow_netbird.go
@@ -3,6 +3,12 @@
 package uspfilter

 import (
+	"context"
+	"net/netip"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )

@@ -11,7 +17,33 @@ func (m *Manager) Close(stateManager *statemanager.Manager) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	m.resetState()
+	m.outgoingRules = make(map[netip.Addr]RuleSet)
+	m.incomingDenyRules = make(map[netip.Addr]RuleSet)
+	m.incomingRules = make(map[netip.Addr]RuleSet)
+
+	if m.udpTracker != nil {
+		m.udpTracker.Close()
+	}
+
+	if m.icmpTracker != nil {
+		m.icmpTracker.Close()
+	}
+
+	if m.tcpTracker != nil {
+		m.tcpTracker.Close()
+	}
+
+	if fwder := m.forwarder.Load(); fwder != nil {
+		fwder.Stop()
+	}
+
+	if m.logger != nil {
+		ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+		defer cancel()
+		if err := m.logger.Stop(ctx); err != nil {
+			log.Errorf("failed to shutdown logger: %v", err)
+		}
+	}

 	if m.nativeFirewall != nil {
 		return m.nativeFirewall.Close(stateManager)
--- a/client/firewall/uspfilter/allow_netbird_windows.go
+++ b/client/firewall/uspfilter/allow_netbird_windows.go
@@ -1,9 +1,12 @@
 package uspfilter

 import (
+	"context"
 	"fmt"
+	"net/netip"
 	"os/exec"
 	"syscall"
+	"time"

 	log "github.com/sirupsen/logrus"

@@ -23,7 +26,33 @@ func (m *Manager) Close(*statemanager.Manager) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	m.resetState()
+	m.outgoingRules = make(map[netip.Addr]RuleSet)
+	m.incomingDenyRules = make(map[netip.Addr]RuleSet)
+	m.incomingRules = make(map[netip.Addr]RuleSet)
+
+	if m.udpTracker != nil {
+		m.udpTracker.Close()
+	}
+
+	if m.icmpTracker != nil {
+		m.icmpTracker.Close()
+	}
+
+	if m.tcpTracker != nil {
+		m.tcpTracker.Close()
+	}
+
+	if fwder := m.forwarder.Load(); fwder != nil {
+		fwder.Stop()
+	}
+
+	if m.logger != nil {
+		ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+		defer cancel()
+		if err := m.logger.Stop(ctx); err != nil {
+			log.Errorf("failed to shutdown logger: %v", err)
+		}
+	}

 	if !isWindowsFirewallReachable() {
 		return nil
--- a/client/firewall/uspfilter/filter.go
+++ b/client/firewall/uspfilter/filter.go
@@ -1,7 +1,6 @@
 package uspfilter

 import (
-	"context"
 	"encoding/binary"
 	"errors"
 	"fmt"
@@ -13,13 +12,11 @@ import (
 	"strings"
 	"sync"
 	"sync/atomic"
-	"time"

 	"github.com/google/gopacket"
 	"github.com/google/gopacket/layers"
 	"github.com/google/uuid"
 	log "github.com/sirupsen/logrus"
-	"golang.org/x/exp/maps"

 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/common"
@@ -27,7 +24,6 @@ import (
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/forwarder"
 	nblog "github.com/netbirdio/netbird/client/firewall/uspfilter/log"
 	"github.com/netbirdio/netbird/client/iface/netstack"
-	nbid "github.com/netbirdio/netbird/client/internal/acl/id"
 	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )
@@ -93,7 +89,6 @@ type Manager struct {
 	incomingDenyRules map[netip.Addr]RuleSet
 	incomingRules     map[netip.Addr]RuleSet
 	routeRules        RouteRules
-	routeRulesMap     map[nbid.RuleID]*RouteRule
 	decoders          sync.Pool
 	wgIface           common.IFaceMapper
 	nativeFirewall    firewall.Manager
@@ -234,7 +229,6 @@ func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableSe
 		flowLogger:          flowLogger,
 		netstack:            netstack.IsEnabled(),
 		localForwarding:     enableLocalForwarding,
-		routeRulesMap:       make(map[nbid.RuleID]*RouteRule),
 		dnatMappings:        make(map[netip.Addr]netip.Addr),
 		portDNATRules:       []portDNATRule{},
 		netstackServices:    make(map[serviceKey]struct{}),
@@ -486,15 +480,11 @@ func (m *Manager) addRouteFiltering(
 		return m.nativeFirewall.AddRouteFiltering(id, sources, destination, proto, sPort, dPort, action)
 	}

-	ruleKey := nbid.GenerateRouteRuleKey(sources, destination, proto, sPort, dPort, action)
-
-	if existingRule, ok := m.routeRulesMap[ruleKey]; ok {
-		return existingRule, nil
-	}
+	ruleID := uuid.New().String()

 	rule := RouteRule{
 		// TODO: consolidate these IDs
-		id:         string(ruleKey),
+		id:         ruleID,
 		mgmtId:     id,
 		sources:    sources,
 		dstSet:     destination.Set,
@@ -509,7 +499,6 @@ func (m *Manager) addRouteFiltering(

 	m.routeRules = append(m.routeRules, &rule)
 	m.routeRules.Sort()
-	m.routeRulesMap[ruleKey] = &rule

 	return &rule, nil
 }
@@ -526,20 +515,15 @@ func (m *Manager) deleteRouteRule(rule firewall.Rule) error {
 		return m.nativeFirewall.DeleteRouteRule(rule)
 	}

-	ruleKey := nbid.RuleID(rule.ID())
-	if _, ok := m.routeRulesMap[ruleKey]; !ok {
-		return fmt.Errorf("route rule not found: %s", ruleKey)
-	}
-
+	ruleID := rule.ID()
 	idx := slices.IndexFunc(m.routeRules, func(r *RouteRule) bool {
-		return r.id == string(ruleKey)
+		return r.id == ruleID
 	})
 	if idx < 0 {
-		return fmt.Errorf("route rule not found in slice: %s", ruleKey)
+		return fmt.Errorf("route rule not found: %s", ruleID)
 	}

 	m.routeRules = slices.Delete(m.routeRules, idx, idx+1)
-	delete(m.routeRulesMap, ruleKey)
 	return nil
 }

@@ -586,40 +570,6 @@ func (m *Manager) SetLegacyManagement(isLegacy bool) error {
 // Flush doesn't need to be implemented for this manager
 func (m *Manager) Flush() error { return nil }

-// resetState clears all firewall rules and closes connection trackers.
-// Must be called with m.mutex held.
-func (m *Manager) resetState() {
-	maps.Clear(m.outgoingRules)
-	maps.Clear(m.incomingDenyRules)
-	maps.Clear(m.incomingRules)
-	maps.Clear(m.routeRulesMap)
-	m.routeRules = m.routeRules[:0]
-
-	if m.udpTracker != nil {
-		m.udpTracker.Close()
-	}
-
-	if m.icmpTracker != nil {
-		m.icmpTracker.Close()
-	}
-
-	if m.tcpTracker != nil {
-		m.tcpTracker.Close()
-	}
-
-	if fwder := m.forwarder.Load(); fwder != nil {
-		fwder.Stop()
-	}
-
-	if m.logger != nil {
-		ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
-		defer cancel()
-		if err := m.logger.Stop(ctx); err != nil {
-			log.Errorf("failed to shutdown logger: %v", err)
-		}
-	}
-}
-
 // SetupEBPFProxyNoTrack creates notrack rules for eBPF proxy loopback traffic.
 func (m *Manager) SetupEBPFProxyNoTrack(proxyPort, wgPort uint16) error {
 	if m.nativeFirewall == nil {
--- a/client/firewall/uspfilter/filter_routeacl_test.go
+++ b/client/firewall/uspfilter/filter_routeacl_test.go
@@ -1,376 +0,0 @@
-package uspfilter
-
-import (
-	"net/netip"
-	"testing"
-
-	"github.com/golang/mock/gomock"
-	"github.com/google/gopacket/layers"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-	wgdevice "golang.zx2c4.com/wireguard/device"
-
-	fw "github.com/netbirdio/netbird/client/firewall/manager"
-	"github.com/netbirdio/netbird/client/iface"
-	"github.com/netbirdio/netbird/client/iface/device"
-	"github.com/netbirdio/netbird/client/iface/mocks"
-	"github.com/netbirdio/netbird/client/iface/wgaddr"
-)
-
-// TestAddRouteFilteringReturnsExistingRule verifies that adding the same route
-// filtering rule twice returns the same rule ID (idempotent behavior).
-func TestAddRouteFilteringReturnsExistingRule(t *testing.T) {
-	manager := setupTestManager(t)
-
-	sources := []netip.Prefix{
-		netip.MustParsePrefix("100.64.1.0/24"),
-		netip.MustParsePrefix("100.64.2.0/24"),
-	}
-	destination := fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")}
-
-	// Add rule first time
-	rule1, err := manager.AddRouteFiltering(
-		[]byte("policy-1"),
-		sources,
-		destination,
-		fw.ProtocolTCP,
-		nil,
-		&fw.Port{Values: []uint16{443}},
-		fw.ActionAccept,
-	)
-	require.NoError(t, err)
-	require.NotNil(t, rule1)
-
-	// Add the same rule again
-	rule2, err := manager.AddRouteFiltering(
-		[]byte("policy-1"),
-		sources,
-		destination,
-		fw.ProtocolTCP,
-		nil,
-		&fw.Port{Values: []uint16{443}},
-		fw.ActionAccept,
-	)
-	require.NoError(t, err)
-	require.NotNil(t, rule2)
-
-	// These should be the same (idempotent) like nftables/iptables implementations
-	assert.Equal(t, rule1.ID(), rule2.ID(),
-		"Adding the same rule twice should return the same rule ID (idempotent)")
-
-	manager.mutex.RLock()
-	ruleCount := len(manager.routeRules)
-	manager.mutex.RUnlock()
-
-	assert.Equal(t, 2, ruleCount,
-		"Should have exactly 2 rules (1 user rule + 1 block rule)")
-}
-
-// TestAddRouteFilteringDifferentRulesGetDifferentIDs verifies that rules with
-// different parameters get distinct IDs.
-func TestAddRouteFilteringDifferentRulesGetDifferentIDs(t *testing.T) {
-	manager := setupTestManager(t)
-
-	sources := []netip.Prefix{netip.MustParsePrefix("100.64.1.0/24")}
-
-	// Add first rule
-	rule1, err := manager.AddRouteFiltering(
-		[]byte("policy-1"),
-		sources,
-		fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
-		fw.ProtocolTCP,
-		nil,
-		&fw.Port{Values: []uint16{443}},
-		fw.ActionAccept,
-	)
-	require.NoError(t, err)
-
-	// Add different rule (different destination)
-	rule2, err := manager.AddRouteFiltering(
-		[]byte("policy-2"),
-		sources,
-		fw.Network{Prefix: netip.MustParsePrefix("192.168.2.0/24")}, // Different!
-		fw.ProtocolTCP,
-		nil,
-		&fw.Port{Values: []uint16{443}},
-		fw.ActionAccept,
-	)
-	require.NoError(t, err)
-
-	assert.NotEqual(t, rule1.ID(), rule2.ID(),
-		"Different rules should have different IDs")
-
-	manager.mutex.RLock()
-	ruleCount := len(manager.routeRules)
-	manager.mutex.RUnlock()
-
-	assert.Equal(t, 3, ruleCount, "Should have 3 rules (2 user rules + 1 block rule)")
-}
-
-// TestRouteRuleUpdateDoesNotCauseGap verifies that re-adding the same route
-// rule during a network map update does not disrupt existing traffic.
-func TestRouteRuleUpdateDoesNotCauseGap(t *testing.T) {
-	manager := setupTestManager(t)
-
-	sources := []netip.Prefix{netip.MustParsePrefix("100.64.1.0/24")}
-	destination := fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")}
-
-	rule1, err := manager.AddRouteFiltering(
-		[]byte("policy-1"),
-		sources,
-		destination,
-		fw.ProtocolTCP,
-		nil,
-		nil,
-		fw.ActionAccept,
-	)
-	require.NoError(t, err)
-
-	srcIP := netip.MustParseAddr("100.64.1.5")
-	dstIP := netip.MustParseAddr("192.168.1.10")
-	_, pass := manager.routeACLsPass(srcIP, dstIP, layers.LayerTypeTCP, 12345, 443)
-	require.True(t, pass, "Traffic should pass with rule in place")
-
-	// Re-add same rule (simulates network map update)
-	rule2, err := manager.AddRouteFiltering(
-		[]byte("policy-1"),
-		sources,
-		destination,
-		fw.ProtocolTCP,
-		nil,
-		nil,
-		fw.ActionAccept,
-	)
-	require.NoError(t, err)
-
-	// Idempotent IDs mean rule1.ID() == rule2.ID(), so the ACL manager
-	// won't delete rule1 during cleanup. If IDs differed, deleting rule1
-	// would remove the only matching rule and cause a traffic gap.
-	if rule1.ID() != rule2.ID() {
-		err = manager.DeleteRouteRule(rule1)
-		require.NoError(t, err)
-	}
-
-	_, passAfter := manager.routeACLsPass(srcIP, dstIP, layers.LayerTypeTCP, 12345, 443)
-	assert.True(t, passAfter,
-		"Traffic should still pass after rule update - no gap should occur")
-}
-
-// TestBlockInvalidRoutedIdempotent verifies that blockInvalidRouted creates
-// exactly one drop rule for the WireGuard network prefix, and calling it again
-// returns the same rule without duplicating.
-func TestBlockInvalidRoutedIdempotent(t *testing.T) {
-	ctrl := gomock.NewController(t)
-	dev := mocks.NewMockDevice(ctrl)
-	dev.EXPECT().MTU().Return(1500, nil).AnyTimes()
-
-	wgNet := netip.MustParsePrefix("100.64.0.1/16")
-
-	ifaceMock := &IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
-		AddressFunc: func() wgaddr.Address {
-			return wgaddr.Address{
-				IP:      wgNet.Addr(),
-				Network: wgNet,
-			}
-		},
-		GetDeviceFunc: func() *device.FilteredDevice {
-			return &device.FilteredDevice{Device: dev}
-		},
-		GetWGDeviceFunc: func() *wgdevice.Device {
-			return &wgdevice.Device{}
-		},
-	}
-
-	manager, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
-	require.NoError(t, err)
-	t.Cleanup(func() {
-		require.NoError(t, manager.Close(nil))
-	})
-
-	// Call blockInvalidRouted directly multiple times
-	rule1, err := manager.blockInvalidRouted(ifaceMock)
-	require.NoError(t, err)
-	require.NotNil(t, rule1)
-
-	rule2, err := manager.blockInvalidRouted(ifaceMock)
-	require.NoError(t, err)
-	require.NotNil(t, rule2)
-
-	rule3, err := manager.blockInvalidRouted(ifaceMock)
-	require.NoError(t, err)
-	require.NotNil(t, rule3)
-
-	// All should return the same rule
-	assert.Equal(t, rule1.ID(), rule2.ID(), "Second call should return same rule")
-	assert.Equal(t, rule2.ID(), rule3.ID(), "Third call should return same rule")
-
-	// Should have exactly 1 route rule
-	manager.mutex.RLock()
-	ruleCount := len(manager.routeRules)
-	manager.mutex.RUnlock()
-
-	assert.Equal(t, 1, ruleCount, "Should have exactly 1 block rule after 3 calls")
-
-	// Verify the rule blocks traffic to the WG network
-	srcIP := netip.MustParseAddr("10.0.0.1")
-	dstIP := netip.MustParseAddr("100.64.0.50")
-	_, pass := manager.routeACLsPass(srcIP, dstIP, layers.LayerTypeTCP, 12345, 80)
-	assert.False(t, pass, "Block rule should deny traffic to WG prefix")
-}
-
-// TestBlockRuleNotAccumulatedOnRepeatedEnableRouting verifies that calling
-// EnableRouting multiple times (as happens on each route update) does not
-// accumulate duplicate block rules in the routeRules slice.
-func TestBlockRuleNotAccumulatedOnRepeatedEnableRouting(t *testing.T) {
-	ctrl := gomock.NewController(t)
-	dev := mocks.NewMockDevice(ctrl)
-	dev.EXPECT().MTU().Return(1500, nil).AnyTimes()
-
-	wgNet := netip.MustParsePrefix("100.64.0.1/16")
-
-	ifaceMock := &IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
-		AddressFunc: func() wgaddr.Address {
-			return wgaddr.Address{
-				IP:      wgNet.Addr(),
-				Network: wgNet,
-			}
-		},
-		GetDeviceFunc: func() *device.FilteredDevice {
-			return &device.FilteredDevice{Device: dev}
-		},
-		GetWGDeviceFunc: func() *wgdevice.Device {
-			return &wgdevice.Device{}
-		},
-	}
-
-	manager, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
-	require.NoError(t, err)
-	t.Cleanup(func() {
-		require.NoError(t, manager.Close(nil))
-	})
-
-	// Call EnableRouting multiple times (simulating repeated route updates)
-	for i := 0; i < 5; i++ {
-		require.NoError(t, manager.EnableRouting())
-	}
-
-	manager.mutex.RLock()
-	ruleCount := len(manager.routeRules)
-	manager.mutex.RUnlock()
-
-	assert.Equal(t, 1, ruleCount,
-		"Repeated EnableRouting should not accumulate block rules")
-}
-
-// TestRouteRuleCountStableAcrossUpdates verifies that adding the same route
-// rule multiple times does not create duplicate entries.
-func TestRouteRuleCountStableAcrossUpdates(t *testing.T) {
-	manager := setupTestManager(t)
-
-	sources := []netip.Prefix{netip.MustParsePrefix("100.64.1.0/24")}
-	destination := fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")}
-
-	// Simulate 5 network map updates with the same route rule
-	for i := 0; i < 5; i++ {
-		rule, err := manager.AddRouteFiltering(
-			[]byte("policy-1"),
-			sources,
-			destination,
-			fw.ProtocolTCP,
-			nil,
-			&fw.Port{Values: []uint16{443}},
-			fw.ActionAccept,
-		)
-		require.NoError(t, err)
-		require.NotNil(t, rule)
-	}
-
-	manager.mutex.RLock()
-	ruleCount := len(manager.routeRules)
-	manager.mutex.RUnlock()
-
-	assert.Equal(t, 2, ruleCount,
-		"Should have exactly 2 rules (1 user rule + 1 block rule) after 5 updates")
-}
-
-// TestDeleteRouteRuleAfterIdempotentAdd verifies that deleting a route rule
-// after adding it multiple times works correctly.
-func TestDeleteRouteRuleAfterIdempotentAdd(t *testing.T) {
-	manager := setupTestManager(t)
-
-	sources := []netip.Prefix{netip.MustParsePrefix("100.64.1.0/24")}
-	destination := fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")}
-
-	// Add same rule twice
-	rule1, err := manager.AddRouteFiltering(
-		[]byte("policy-1"),
-		sources,
-		destination,
-		fw.ProtocolTCP,
-		nil,
-		nil,
-		fw.ActionAccept,
-	)
-	require.NoError(t, err)
-
-	rule2, err := manager.AddRouteFiltering(
-		[]byte("policy-1"),
-		sources,
-		destination,
-		fw.ProtocolTCP,
-		nil,
-		nil,
-		fw.ActionAccept,
-	)
-	require.NoError(t, err)
-
-	require.Equal(t, rule1.ID(), rule2.ID(), "Should return same rule ID")
-
-	// Delete using first reference
-	err = manager.DeleteRouteRule(rule1)
-	require.NoError(t, err)
-
-	// Verify traffic no longer passes
-	srcIP := netip.MustParseAddr("100.64.1.5")
-	dstIP := netip.MustParseAddr("192.168.1.10")
-	_, pass := manager.routeACLsPass(srcIP, dstIP, layers.LayerTypeTCP, 12345, 443)
-	assert.False(t, pass, "Traffic should not pass after rule deletion")
-}
-
-func setupTestManager(t *testing.T) *Manager {
-	t.Helper()
-
-	ctrl := gomock.NewController(t)
-	dev := mocks.NewMockDevice(ctrl)
-	dev.EXPECT().MTU().Return(1500, nil).AnyTimes()
-
-	wgNet := netip.MustParsePrefix("100.64.0.1/16")
-
-	ifaceMock := &IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
-		AddressFunc: func() wgaddr.Address {
-			return wgaddr.Address{
-				IP:      wgNet.Addr(),
-				Network: wgNet,
-			}
-		},
-		GetDeviceFunc: func() *device.FilteredDevice {
-			return &device.FilteredDevice{Device: dev}
-		},
-		GetWGDeviceFunc: func() *wgdevice.Device {
-			return &wgdevice.Device{}
-		},
-	}
-
-	manager, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
-	require.NoError(t, err)
-	require.NoError(t, manager.EnableRouting())
-
-	t.Cleanup(func() {
-		require.NoError(t, manager.Close(nil))
-	})
-
-	return manager
-}
--- a/client/firewall/uspfilter/filter_test.go
+++ b/client/firewall/uspfilter/filter_test.go
@@ -263,158 +263,6 @@ func TestAddUDPPacketHook(t *testing.T) {
 	}
 }

-// TestPeerRuleLifecycleDenyRules verifies that deny rules are correctly added
-// to the deny map and can be cleanly deleted without leaving orphans.
-func TestPeerRuleLifecycleDenyRules(t *testing.T) {
-	ifaceMock := &IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}
-
-	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
-	require.NoError(t, err)
-	defer func() {
-		require.NoError(t, m.Close(nil))
-	}()
-
-	ip := net.ParseIP("192.168.1.1")
-	addr := netip.MustParseAddr("192.168.1.1")
-
-	// Add multiple deny rules for different ports
-	rule1, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
-		&fw.Port{Values: []uint16{22}}, fw.ActionDrop, "")
-	require.NoError(t, err)
-
-	rule2, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
-		&fw.Port{Values: []uint16{80}}, fw.ActionDrop, "")
-	require.NoError(t, err)
-
-	m.mutex.RLock()
-	denyCount := len(m.incomingDenyRules[addr])
-	m.mutex.RUnlock()
-	require.Equal(t, 2, denyCount, "Should have exactly 2 deny rules")
-
-	// Delete the first deny rule
-	err = m.DeletePeerRule(rule1[0])
-	require.NoError(t, err)
-
-	m.mutex.RLock()
-	denyCount = len(m.incomingDenyRules[addr])
-	m.mutex.RUnlock()
-	require.Equal(t, 1, denyCount, "Should have 1 deny rule after deleting first")
-
-	// Delete the second deny rule
-	err = m.DeletePeerRule(rule2[0])
-	require.NoError(t, err)
-
-	m.mutex.RLock()
-	_, exists := m.incomingDenyRules[addr]
-	m.mutex.RUnlock()
-	require.False(t, exists, "Deny rules IP entry should be cleaned up when empty")
-}
-
-// TestPeerRuleAddAndDeleteDontLeak verifies that repeatedly adding and deleting
-// peer rules (simulating network map updates) does not leak rules in the maps.
-func TestPeerRuleAddAndDeleteDontLeak(t *testing.T) {
-	ifaceMock := &IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}
-
-	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
-	require.NoError(t, err)
-	defer func() {
-		require.NoError(t, m.Close(nil))
-	}()
-
-	ip := net.ParseIP("192.168.1.1")
-	addr := netip.MustParseAddr("192.168.1.1")
-
-	// Simulate 10 network map updates: add rule, delete old, add new
-	for i := 0; i < 10; i++ {
-		// Add a deny rule
-		rules, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
-			&fw.Port{Values: []uint16{22}}, fw.ActionDrop, "")
-		require.NoError(t, err)
-
-		// Add an allow rule
-		allowRules, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
-			&fw.Port{Values: []uint16{80}}, fw.ActionAccept, "")
-		require.NoError(t, err)
-
-		// Delete them (simulating ACL manager cleanup)
-		for _, r := range rules {
-			require.NoError(t, m.DeletePeerRule(r))
-		}
-		for _, r := range allowRules {
-			require.NoError(t, m.DeletePeerRule(r))
-		}
-	}
-
-	m.mutex.RLock()
-	denyCount := len(m.incomingDenyRules[addr])
-	allowCount := len(m.incomingRules[addr])
-	m.mutex.RUnlock()
-
-	require.Equal(t, 0, denyCount, "No deny rules should remain after cleanup")
-	require.Equal(t, 0, allowCount, "No allow rules should remain after cleanup")
-}
-
-// TestMixedAllowDenyRulesSameIP verifies that allow and deny rules for the same
-// IP are stored in separate maps and don't interfere with each other.
-func TestMixedAllowDenyRulesSameIP(t *testing.T) {
-	ifaceMock := &IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}
-
-	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
-	require.NoError(t, err)
-	defer func() {
-		require.NoError(t, m.Close(nil))
-	}()
-
-	ip := net.ParseIP("192.168.1.1")
-
-	// Add allow rule for port 80
-	allowRule, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
-		&fw.Port{Values: []uint16{80}}, fw.ActionAccept, "")
-	require.NoError(t, err)
-
-	// Add deny rule for port 22
-	denyRule, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
-		&fw.Port{Values: []uint16{22}}, fw.ActionDrop, "")
-	require.NoError(t, err)
-
-	addr := netip.MustParseAddr("192.168.1.1")
-	m.mutex.RLock()
-	allowCount := len(m.incomingRules[addr])
-	denyCount := len(m.incomingDenyRules[addr])
-	m.mutex.RUnlock()
-
-	require.Equal(t, 1, allowCount, "Should have 1 allow rule")
-	require.Equal(t, 1, denyCount, "Should have 1 deny rule")
-
-	// Delete allow rule should not affect deny rule
-	err = m.DeletePeerRule(allowRule[0])
-	require.NoError(t, err)
-
-	m.mutex.RLock()
-	denyCountAfter := len(m.incomingDenyRules[addr])
-	m.mutex.RUnlock()
-
-	require.Equal(t, 1, denyCountAfter, "Deny rule should still exist after deleting allow rule")
-
-	// Delete deny rule
-	err = m.DeletePeerRule(denyRule[0])
-	require.NoError(t, err)
-
-	m.mutex.RLock()
-	_, denyExists := m.incomingDenyRules[addr]
-	_, allowExists := m.incomingRules[addr]
-	m.mutex.RUnlock()
-
-	require.False(t, denyExists, "Deny rules should be empty")
-	require.False(t, allowExists, "Allow rules should be empty")
-}
-
 func TestManagerReset(t *testing.T) {
 	ifaceMock := &IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
--- a/client/iface/iface.go
+++ b/client/iface/iface.go
@@ -18,7 +18,6 @@ import (
 	"github.com/netbirdio/netbird/client/errors"
 	"github.com/netbirdio/netbird/client/iface/configurer"
 	"github.com/netbirdio/netbird/client/iface/device"
-	nbnetstack "github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/iface/wgproxy"
@@ -229,10 +228,6 @@ func (w *WGIface) Close() error {
 		result = multierror.Append(result, fmt.Errorf("failed to close wireguard interface %s: %w", w.Name(), err))
 	}

-	if nbnetstack.IsEnabled() {
-		return errors.FormatErrorOrNil(result)
-	}
-
 	if err := w.waitUntilRemoved(); err != nil {
 		log.Warnf("failed to remove WireGuard interface %s: %v", w.Name(), err)
 		if err := w.Destroy(); err != nil {
--- a/client/internal/acl/manager_test.go
+++ b/client/internal/acl/manager_test.go
@@ -189,212 +189,6 @@ func TestDefaultManagerStateless(t *testing.T) {
 	})
 }

-// TestDenyRulesNotAccumulatedOnRepeatedApply verifies that applying the same
-// deny rules repeatedly does not accumulate duplicate rules in the uspfilter.
-// This tests the full ACL manager -> uspfilter integration.
-func TestDenyRulesNotAccumulatedOnRepeatedApply(t *testing.T) {
-	t.Setenv("NB_WG_KERNEL_DISABLED", "true")
-
-	networkMap := &mgmProto.NetworkMap{
-		FirewallRules: []*mgmProto.FirewallRule{
-			{
-				PeerIP:    "10.93.0.1",
-				Direction: mgmProto.RuleDirection_IN,
-				Action:    mgmProto.RuleAction_DROP,
-				Protocol:  mgmProto.RuleProtocol_TCP,
-				Port:      "22",
-			},
-			{
-				PeerIP:    "10.93.0.2",
-				Direction: mgmProto.RuleDirection_IN,
-				Action:    mgmProto.RuleAction_DROP,
-				Protocol:  mgmProto.RuleProtocol_TCP,
-				Port:      "80",
-			},
-			{
-				PeerIP:    "10.93.0.3",
-				Direction: mgmProto.RuleDirection_IN,
-				Action:    mgmProto.RuleAction_ACCEPT,
-				Protocol:  mgmProto.RuleProtocol_TCP,
-				Port:      "443",
-			},
-		},
-		FirewallRulesIsEmpty: false,
-	}
-
-	ctrl := gomock.NewController(t)
-	defer ctrl.Finish()
-
-	ifaceMock := mocks.NewMockIFaceMapper(ctrl)
-	ifaceMock.EXPECT().IsUserspaceBind().Return(true).AnyTimes()
-	ifaceMock.EXPECT().SetFilter(gomock.Any())
-	network := netip.MustParsePrefix("172.0.0.1/32")
-	ifaceMock.EXPECT().Name().Return("lo").AnyTimes()
-	ifaceMock.EXPECT().Address().Return(wgaddr.Address{
-		IP:      network.Addr(),
-		Network: network,
-	}).AnyTimes()
-	ifaceMock.EXPECT().GetWGDevice().Return(nil).AnyTimes()
-
-	fw, err := firewall.NewFirewall(ifaceMock, nil, flowLogger, false, iface.DefaultMTU)
-	require.NoError(t, err)
-	defer func() {
-		require.NoError(t, fw.Close(nil))
-	}()
-
-	acl := NewDefaultManager(fw)
-
-	// Apply the same rules 5 times (simulating repeated network map updates)
-	for i := 0; i < 5; i++ {
-		acl.ApplyFiltering(networkMap, false)
-	}
-
-	// The ACL manager should track exactly 3 rule pairs (2 deny + 1 accept inbound)
-	assert.Equal(t, 3, len(acl.peerRulesPairs),
-		"Should have exactly 3 rule pairs after 5 identical updates")
-}
-
-// TestDenyRulesCleanedUpOnRemoval verifies that deny rules are properly cleaned
-// up when they're removed from the network map in a subsequent update.
-func TestDenyRulesCleanedUpOnRemoval(t *testing.T) {
-	t.Setenv("NB_WG_KERNEL_DISABLED", "true")
-
-	ctrl := gomock.NewController(t)
-	defer ctrl.Finish()
-
-	ifaceMock := mocks.NewMockIFaceMapper(ctrl)
-	ifaceMock.EXPECT().IsUserspaceBind().Return(true).AnyTimes()
-	ifaceMock.EXPECT().SetFilter(gomock.Any())
-	network := netip.MustParsePrefix("172.0.0.1/32")
-	ifaceMock.EXPECT().Name().Return("lo").AnyTimes()
-	ifaceMock.EXPECT().Address().Return(wgaddr.Address{
-		IP:      network.Addr(),
-		Network: network,
-	}).AnyTimes()
-	ifaceMock.EXPECT().GetWGDevice().Return(nil).AnyTimes()
-
-	fw, err := firewall.NewFirewall(ifaceMock, nil, flowLogger, false, iface.DefaultMTU)
-	require.NoError(t, err)
-	defer func() {
-		require.NoError(t, fw.Close(nil))
-	}()
-
-	acl := NewDefaultManager(fw)
-
-	// First update: add deny and accept rules
-	networkMap1 := &mgmProto.NetworkMap{
-		FirewallRules: []*mgmProto.FirewallRule{
-			{
-				PeerIP:    "10.93.0.1",
-				Direction: mgmProto.RuleDirection_IN,
-				Action:    mgmProto.RuleAction_DROP,
-				Protocol:  mgmProto.RuleProtocol_TCP,
-				Port:      "22",
-			},
-			{
-				PeerIP:    "10.93.0.2",
-				Direction: mgmProto.RuleDirection_IN,
-				Action:    mgmProto.RuleAction_ACCEPT,
-				Protocol:  mgmProto.RuleProtocol_TCP,
-				Port:      "443",
-			},
-		},
-		FirewallRulesIsEmpty: false,
-	}
-
-	acl.ApplyFiltering(networkMap1, false)
-	assert.Equal(t, 2, len(acl.peerRulesPairs), "Should have 2 rules after first update")
-
-	// Second update: remove the deny rule, keep only accept
-	networkMap2 := &mgmProto.NetworkMap{
-		FirewallRules: []*mgmProto.FirewallRule{
-			{
-				PeerIP:    "10.93.0.2",
-				Direction: mgmProto.RuleDirection_IN,
-				Action:    mgmProto.RuleAction_ACCEPT,
-				Protocol:  mgmProto.RuleProtocol_TCP,
-				Port:      "443",
-			},
-		},
-		FirewallRulesIsEmpty: false,
-	}
-
-	acl.ApplyFiltering(networkMap2, false)
-	assert.Equal(t, 1, len(acl.peerRulesPairs),
-		"Should have 1 rule after removing deny rule")
-
-	// Third update: remove all rules
-	networkMap3 := &mgmProto.NetworkMap{
-		FirewallRules:        []*mgmProto.FirewallRule{},
-		FirewallRulesIsEmpty: true,
-	}
-
-	acl.ApplyFiltering(networkMap3, false)
-	assert.Equal(t, 0, len(acl.peerRulesPairs),
-		"Should have 0 rules after removing all rules")
-}
-
-// TestRuleUpdateChangingAction verifies that when a rule's action changes from
-// accept to deny (or vice versa), the old rule is properly removed and the new
-// one added without leaking.
-func TestRuleUpdateChangingAction(t *testing.T) {
-	t.Setenv("NB_WG_KERNEL_DISABLED", "true")
-
-	ctrl := gomock.NewController(t)
-	defer ctrl.Finish()
-
-	ifaceMock := mocks.NewMockIFaceMapper(ctrl)
-	ifaceMock.EXPECT().IsUserspaceBind().Return(true).AnyTimes()
-	ifaceMock.EXPECT().SetFilter(gomock.Any())
-	network := netip.MustParsePrefix("172.0.0.1/32")
-	ifaceMock.EXPECT().Name().Return("lo").AnyTimes()
-	ifaceMock.EXPECT().Address().Return(wgaddr.Address{
-		IP:      network.Addr(),
-		Network: network,
-	}).AnyTimes()
-	ifaceMock.EXPECT().GetWGDevice().Return(nil).AnyTimes()
-
-	fw, err := firewall.NewFirewall(ifaceMock, nil, flowLogger, false, iface.DefaultMTU)
-	require.NoError(t, err)
-	defer func() {
-		require.NoError(t, fw.Close(nil))
-	}()
-
-	acl := NewDefaultManager(fw)
-
-	// First update: accept rule
-	networkMap := &mgmProto.NetworkMap{
-		FirewallRules: []*mgmProto.FirewallRule{
-			{
-				PeerIP:    "10.93.0.1",
-				Direction: mgmProto.RuleDirection_IN,
-				Action:    mgmProto.RuleAction_ACCEPT,
-				Protocol:  mgmProto.RuleProtocol_TCP,
-				Port:      "22",
-			},
-		},
-		FirewallRulesIsEmpty: false,
-	}
-	acl.ApplyFiltering(networkMap, false)
-	assert.Equal(t, 1, len(acl.peerRulesPairs))
-
-	// Second update: change to deny (same IP/port/proto, different action)
-	networkMap.FirewallRules = []*mgmProto.FirewallRule{
-		{
-			PeerIP:    "10.93.0.1",
-			Direction: mgmProto.RuleDirection_IN,
-			Action:    mgmProto.RuleAction_DROP,
-			Protocol:  mgmProto.RuleProtocol_TCP,
-			Port:      "22",
-		},
-	}
-	acl.ApplyFiltering(networkMap, false)
-
-	// Should still have exactly 1 rule (the old accept removed, new deny added)
-	assert.Equal(t, 1, len(acl.peerRulesPairs),
-		"Changing action should result in exactly 1 rule, not 2")
-}
-
 func TestPortInfoEmpty(t *testing.T) {
 	tests := []struct {
 		name     string
--- a/client/internal/connect.go
+++ b/client/internal/connect.go
@@ -20,7 +20,6 @@ import (

 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
-	"github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/listener"
 	"github.com/netbirdio/netbird/client/internal/peer"
@@ -245,7 +244,7 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 		localPeerState := peer.LocalPeerState{
 			IP:              loginResp.GetPeerConfig().GetAddress(),
 			PubKey:          myPrivateKey.PublicKey().String(),
-			KernelInterface: device.WireGuardModuleIsLoaded() && !netstack.IsEnabled(),
+			KernelInterface: device.WireGuardModuleIsLoaded(),
 			FQDN:            loginResp.GetPeerConfig().GetFqdn(),
 		}
 		c.statusRecorder.UpdateLocalPeerState(localPeerState)
--- a/client/internal/dns/server.go
+++ b/client/internal/dns/server.go
@@ -6,9 +6,7 @@ import (
 	"fmt"
 	"net/netip"
 	"net/url"
-	"os"
 	"runtime"
-	"strconv"
 	"strings"
 	"sync"

@@ -29,8 +27,6 @@ import (
 	"github.com/netbirdio/netbird/shared/management/domain"
 )

-const envSkipDNSProbe = "NB_SKIP_DNS_PROBE"
-
 // ReadyListener is a notification mechanism what indicate the server is ready to handle host dns address changes
 type ReadyListener interface {
 	OnReady()
@@ -443,17 +439,6 @@ func (s *DefaultServer) SearchDomains() []string {
 // ProbeAvailability tests each upstream group's servers for availability
 // and deactivates the group if no server responds
 func (s *DefaultServer) ProbeAvailability() {
-	if val := os.Getenv(envSkipDNSProbe); val != "" {
-		skipProbe, err := strconv.ParseBool(val)
-		if err != nil {
-			log.Warnf("failed to parse %s: %v", envSkipDNSProbe, err)
-		}
-		if skipProbe {
-			log.Infof("skipping DNS probe due to %s", envSkipDNSProbe)
-			return
-		}
-	}
-
 	var wg sync.WaitGroup
 	for _, mux := range s.dnsMuxMap {
 		wg.Add(1)
--- a/client/internal/dnsfwd/forwarder.go
+++ b/client/internal/dnsfwd/forwarder.go
@@ -190,75 +190,50 @@ func (f *DNSForwarder) Close(ctx context.Context) error {
 	return nberrors.FormatErrorOrNil(result)
 }

-func (f *DNSForwarder) handleDNSQuery(logger *log.Entry, w dns.ResponseWriter, query *dns.Msg, startTime time.Time) {
+func (f *DNSForwarder) handleDNSQuery(logger *log.Entry, w dns.ResponseWriter, query *dns.Msg) *dns.Msg {
 	if len(query.Question) == 0 {
-		return
+		return nil
 	}
 	question := query.Question[0]
-	qname := strings.ToLower(question.Name)
+	logger.Tracef("received DNS request for DNS forwarder: domain=%s type=%s class=%s",
+		question.Name, dns.TypeToString[question.Qtype], dns.ClassToString[question.Qclass])

-	logger.Tracef("question: domain=%s type=%s class=%s",
-		qname, dns.TypeToString[question.Qtype], dns.ClassToString[question.Qclass])
+	domain := strings.ToLower(question.Name)

 	resp := query.SetReply(query)
 	network := resutil.NetworkForQtype(question.Qtype)
 	if network == "" {
 		resp.Rcode = dns.RcodeNotImplemented
-		f.writeResponse(logger, w, resp, qname, startTime)
-		return
+		if err := w.WriteMsg(resp); err != nil {
+			logger.Errorf("failed to write DNS response: %v", err)
+		}
+		return nil
 	}

-	mostSpecificResId, matchingEntries := f.getMatchingEntries(strings.TrimSuffix(qname, "."))
+	mostSpecificResId, matchingEntries := f.getMatchingEntries(strings.TrimSuffix(domain, "."))
+	// query doesn't match any configured domain
 	if mostSpecificResId == "" {
 		resp.Rcode = dns.RcodeRefused
-		f.writeResponse(logger, w, resp, qname, startTime)
-		return
+		if err := w.WriteMsg(resp); err != nil {
+			logger.Errorf("failed to write DNS response: %v", err)
+		}
+		return nil
 	}

 	ctx, cancel := context.WithTimeout(context.Background(), upstreamTimeout)
 	defer cancel()

-	result := resutil.LookupIP(ctx, f.resolver, network, qname, question.Qtype)
+	result := resutil.LookupIP(ctx, f.resolver, network, domain, question.Qtype)
 	if result.Err != nil {
-		f.handleDNSError(ctx, logger, w, question, resp, qname, result, startTime)
-		return
+		f.handleDNSError(ctx, logger, w, question, resp, domain, result)
+		return nil
 	}

 	f.updateInternalState(result.IPs, mostSpecificResId, matchingEntries)
-	resp.Answer = append(resp.Answer, resutil.IPsToRRs(qname, result.IPs, f.ttl)...)
-	f.cache.set(qname, question.Qtype, result.IPs)
+	resp.Answer = append(resp.Answer, resutil.IPsToRRs(domain, result.IPs, f.ttl)...)
+	f.cache.set(domain, question.Qtype, result.IPs)

-	f.writeResponse(logger, w, resp, qname, startTime)
-}
-
-func (f *DNSForwarder) writeResponse(logger *log.Entry, w dns.ResponseWriter, resp *dns.Msg, qname string, startTime time.Time) {
-	if err := w.WriteMsg(resp); err != nil {
-		logger.Errorf("failed to write DNS response: %v", err)
-		return
-	}
-
-	logger.Tracef("response: domain=%s rcode=%s answers=%s took=%s",
-		qname, dns.RcodeToString[resp.Rcode], resutil.FormatAnswers(resp.Answer), time.Since(startTime))
-}
-
-// udpResponseWriter wraps a dns.ResponseWriter to handle UDP-specific truncation.
-type udpResponseWriter struct {
-	dns.ResponseWriter
-	query *dns.Msg
-}
-
-func (u *udpResponseWriter) WriteMsg(resp *dns.Msg) error {
-	opt := u.query.IsEdns0()
-	maxSize := dns.MinMsgSize
-	if opt != nil {
-		maxSize = int(opt.UDPSize())
-	}
-
-	if resp.Len() > maxSize {
-		resp.Truncate(maxSize)
-	}
-
-	return u.ResponseWriter.WriteMsg(resp)
+	return resp
 }

 func (f *DNSForwarder) handleDNSQueryUDP(w dns.ResponseWriter, query *dns.Msg) {
@@ -268,7 +243,30 @@ func (f *DNSForwarder) handleDNSQueryUDP(w dns.ResponseWriter, query *dns.Msg) {
 		"dns_id":     fmt.Sprintf("%04x", query.Id),
 	})

-	f.handleDNSQuery(logger, &udpResponseWriter{ResponseWriter: w, query: query}, query, startTime)
+	resp := f.handleDNSQuery(logger, w, query)
+	if resp == nil {
+		return
+	}
+
+	opt := query.IsEdns0()
+	maxSize := dns.MinMsgSize
+	if opt != nil {
+		// client advertised a larger EDNS0 buffer
+		maxSize = int(opt.UDPSize())
+	}
+
+	// if our response is too big, truncate and set the TC bit
+	if resp.Len() > maxSize {
+		resp.Truncate(maxSize)
+	}
+
+	if err := w.WriteMsg(resp); err != nil {
+		logger.Errorf("failed to write DNS response: %v", err)
+		return
+	}
+
+	logger.Tracef("response: domain=%s rcode=%s answers=%s took=%s",
+		query.Question[0].Name, dns.RcodeToString[resp.Rcode], resutil.FormatAnswers(resp.Answer), time.Since(startTime))
 }

 func (f *DNSForwarder) handleDNSQueryTCP(w dns.ResponseWriter, query *dns.Msg) {
@@ -278,7 +276,18 @@ func (f *DNSForwarder) handleDNSQueryTCP(w dns.ResponseWriter, query *dns.Msg) {
 		"dns_id":     fmt.Sprintf("%04x", query.Id),
 	})

-	f.handleDNSQuery(logger, w, query, startTime)
+	resp := f.handleDNSQuery(logger, w, query)
+	if resp == nil {
+		return
+	}
+
+	if err := w.WriteMsg(resp); err != nil {
+		logger.Errorf("failed to write DNS response: %v", err)
+		return
+	}
+
+	logger.Tracef("response: domain=%s rcode=%s answers=%s took=%s",
+		query.Question[0].Name, dns.RcodeToString[resp.Rcode], resutil.FormatAnswers(resp.Answer), time.Since(startTime))
 }

 func (f *DNSForwarder) updateInternalState(ips []netip.Addr, mostSpecificResId route.ResID, matchingEntries []*ForwarderEntry) {
@@ -325,7 +334,6 @@ func (f *DNSForwarder) handleDNSError(
 	resp *dns.Msg,
 	domain string,
 	result resutil.LookupResult,
-	startTime time.Time,
 ) {
 	qType := question.Qtype
 	qTypeName := dns.TypeToString[qType]
@@ -335,7 +343,9 @@ func (f *DNSForwarder) handleDNSError(
 	// NotFound: cache negative result and respond
 	if result.Rcode == dns.RcodeNameError || result.Rcode == dns.RcodeSuccess {
 		f.cache.set(domain, question.Qtype, nil)
-		f.writeResponse(logger, w, resp, domain, startTime)
+		if writeErr := w.WriteMsg(resp); writeErr != nil {
+			logger.Errorf("failed to write failure DNS response: %v", writeErr)
+		}
 		return
 	}

@@ -345,7 +355,9 @@ func (f *DNSForwarder) handleDNSError(
 			logger.Debugf("serving cached DNS response after upstream failure: domain=%s type=%s", domain, qTypeName)
 			resp.Answer = append(resp.Answer, resutil.IPsToRRs(domain, ips, f.ttl)...)
 			resp.Rcode = dns.RcodeSuccess
-			f.writeResponse(logger, w, resp, domain, startTime)
+			if writeErr := w.WriteMsg(resp); writeErr != nil {
+				logger.Errorf("failed to write cached DNS response: %v", writeErr)
+			}
 			return
 		}

@@ -353,7 +365,9 @@ func (f *DNSForwarder) handleDNSError(
 		verifyResult := resutil.LookupIP(ctx, f.resolver, resutil.NetworkForQtype(qType), domain, qType)
 		if verifyResult.Rcode == dns.RcodeNameError || verifyResult.Rcode == dns.RcodeSuccess {
 			resp.Rcode = verifyResult.Rcode
-			f.writeResponse(logger, w, resp, domain, startTime)
+			if writeErr := w.WriteMsg(resp); writeErr != nil {
+				logger.Errorf("failed to write failure DNS response: %v", writeErr)
+			}
 			return
 		}
 	}
@@ -361,12 +375,15 @@ func (f *DNSForwarder) handleDNSError(
 	// No cache or verification failed. Log with or without the server field for more context.
 	var dnsErr *net.DNSError
 	if errors.As(result.Err, &dnsErr) && dnsErr.Server != "" {
-		logger.Warnf("upstream failure: type=%s domain=%s server=%s: %v", qTypeName, domain, dnsErr.Server, result.Err)
+		logger.Warnf("failed to resolve: type=%s domain=%s server=%s: %v", qTypeName, domain, dnsErr.Server, result.Err)
 	} else {
 		logger.Warnf(errResolveFailed, domain, result.Err)
 	}

-	f.writeResponse(logger, w, resp, domain, startTime)
+	// Write final failure response.
+	if writeErr := w.WriteMsg(resp); writeErr != nil {
+		logger.Errorf("failed to write failure DNS response: %v", writeErr)
+	}
 }

 // getMatchingEntries retrieves the resource IDs for a given domain.
--- a/client/internal/dnsfwd/forwarder_test.go
+++ b/client/internal/dnsfwd/forwarder_test.go
@@ -318,9 +318,8 @@ func TestDNSForwarder_UnauthorizedDomainAccess(t *testing.T) {
 			query.SetQuestion(dns.Fqdn(tt.queryDomain), dns.TypeA)

 			mockWriter := &test.MockResponseWriter{}
-			forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, query, time.Now())
+			resp := forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, query)

-			resp := mockWriter.GetLastResponse()
 			if tt.shouldResolve {
 				require.NotNil(t, resp, "Expected response for authorized domain")
 				require.Equal(t, dns.RcodeSuccess, resp.Rcode, "Expected successful response")
@@ -330,9 +329,10 @@ func TestDNSForwarder_UnauthorizedDomainAccess(t *testing.T) {
 				mockFirewall.AssertExpectations(t)
 				mockResolver.AssertExpectations(t)
 			} else {
-				require.NotNil(t, resp, "Expected response")
-				assert.True(t, len(resp.Answer) == 0 || resp.Rcode != dns.RcodeSuccess,
-					"Unauthorized domain should not return successful answers")
+				if resp != nil {
+					assert.True(t, len(resp.Answer) == 0 || resp.Rcode != dns.RcodeSuccess,
+						"Unauthorized domain should not return successful answers")
+				}
 				mockFirewall.AssertNotCalled(t, "UpdateSet")
 				mockResolver.AssertNotCalled(t, "LookupNetIP")
 			}
@@ -466,16 +466,14 @@ func TestDNSForwarder_FirewallSetUpdates(t *testing.T) {
 			dnsQuery.SetQuestion(dns.Fqdn(tt.query), dns.TypeA)

 			mockWriter := &test.MockResponseWriter{}
-			forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, dnsQuery, time.Now())
+			resp := forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, dnsQuery)

 			// Verify response
-			resp := mockWriter.GetLastResponse()
 			if tt.shouldResolve {
 				require.NotNil(t, resp, "Expected response for authorized domain")
 				require.Equal(t, dns.RcodeSuccess, resp.Rcode)
 				require.NotEmpty(t, resp.Answer)
-			} else {
-				require.NotNil(t, resp, "Expected response")
+			} else if resp != nil {
 				assert.True(t, resp.Rcode == dns.RcodeRefused || len(resp.Answer) == 0,
 					"Unauthorized domain should be refused or have no answers")
 			}
@@ -530,10 +528,9 @@ func TestDNSForwarder_MultipleIPsInSingleUpdate(t *testing.T) {
 	query.SetQuestion("example.com.", dns.TypeA)

 	mockWriter := &test.MockResponseWriter{}
-	forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, query, time.Now())
+	resp := forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, query)

 	// Verify response contains all IPs
-	resp := mockWriter.GetLastResponse()
 	require.NotNil(t, resp)
 	require.Equal(t, dns.RcodeSuccess, resp.Rcode)
 	require.Len(t, resp.Answer, 3, "Should have 3 answer records")
@@ -608,7 +605,7 @@ func TestDNSForwarder_ResponseCodes(t *testing.T) {
 				},
 			}

-			forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, query, time.Now())
+			_ = forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, query)

 			// Check the response written to the writer
 			require.NotNil(t, writtenResp, "Expected response to be written")
@@ -678,8 +675,7 @@ func TestDNSForwarder_ServeFromCacheOnUpstreamFailure(t *testing.T) {
 	q1 := &dns.Msg{}
 	q1.SetQuestion(dns.Fqdn("example.com"), dns.TypeA)
 	w1 := &test.MockResponseWriter{}
-	forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), w1, q1, time.Now())
-	resp1 := w1.GetLastResponse()
+	resp1 := forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), w1, q1)
 	require.NotNil(t, resp1)
 	require.Equal(t, dns.RcodeSuccess, resp1.Rcode)
 	require.Len(t, resp1.Answer, 1)
@@ -687,13 +683,13 @@ func TestDNSForwarder_ServeFromCacheOnUpstreamFailure(t *testing.T) {
 	// Second query: serve from cache after upstream failure
 	q2 := &dns.Msg{}
 	q2.SetQuestion(dns.Fqdn("example.com"), dns.TypeA)
-	w2 := &test.MockResponseWriter{}
-	forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), w2, q2, time.Now())
+	var writtenResp *dns.Msg
+	w2 := &test.MockResponseWriter{WriteMsgFunc: func(m *dns.Msg) error { writtenResp = m; return nil }}
+	_ = forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), w2, q2)

-	resp2 := w2.GetLastResponse()
-	require.NotNil(t, resp2, "expected response to be written")
-	require.Equal(t, dns.RcodeSuccess, resp2.Rcode)
-	require.Len(t, resp2.Answer, 1)
+	require.NotNil(t, writtenResp, "expected response to be written")
+	require.Equal(t, dns.RcodeSuccess, writtenResp.Rcode)
+	require.Len(t, writtenResp.Answer, 1)

 	mockResolver.AssertExpectations(t)
 }
@@ -719,8 +715,7 @@ func TestDNSForwarder_CacheNormalizationCasingAndDot(t *testing.T) {
 	q1 := &dns.Msg{}
 	q1.SetQuestion(mixedQuery+".", dns.TypeA)
 	w1 := &test.MockResponseWriter{}
-	forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), w1, q1, time.Now())
-	resp1 := w1.GetLastResponse()
+	resp1 := forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), w1, q1)
 	require.NotNil(t, resp1)
 	require.Equal(t, dns.RcodeSuccess, resp1.Rcode)
 	require.Len(t, resp1.Answer, 1)
@@ -732,13 +727,13 @@ func TestDNSForwarder_CacheNormalizationCasingAndDot(t *testing.T) {

 	q2 := &dns.Msg{}
 	q2.SetQuestion("EXAMPLE.COM", dns.TypeA)
-	w2 := &test.MockResponseWriter{}
-	forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), w2, q2, time.Now())
+	var writtenResp *dns.Msg
+	w2 := &test.MockResponseWriter{WriteMsgFunc: func(m *dns.Msg) error { writtenResp = m; return nil }}
+	_ = forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), w2, q2)

-	resp2 := w2.GetLastResponse()
-	require.NotNil(t, resp2)
-	require.Equal(t, dns.RcodeSuccess, resp2.Rcode)
-	require.Len(t, resp2.Answer, 1)
+	require.NotNil(t, writtenResp)
+	require.Equal(t, dns.RcodeSuccess, writtenResp.Rcode)
+	require.Len(t, writtenResp.Answer, 1)

 	mockResolver.AssertExpectations(t)
 }
@@ -789,9 +784,8 @@ func TestDNSForwarder_MultipleOverlappingPatterns(t *testing.T) {
 	query.SetQuestion("smtp.mail.example.com.", dns.TypeA)

 	mockWriter := &test.MockResponseWriter{}
-	forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, query, time.Now())
+	resp := forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, query)

-	resp := mockWriter.GetLastResponse()
 	require.NotNil(t, resp)
 	assert.Equal(t, dns.RcodeSuccess, resp.Rcode)

@@ -903,15 +897,26 @@ func TestDNSForwarder_NodataVsNxdomain(t *testing.T) {
 			query := &dns.Msg{}
 			query.SetQuestion(dns.Fqdn("example.com"), tt.queryType)

-			mockWriter := &test.MockResponseWriter{}
-			forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, query, time.Now())
+			var writtenResp *dns.Msg
+			mockWriter := &test.MockResponseWriter{
+				WriteMsgFunc: func(m *dns.Msg) error {
+					writtenResp = m
+					return nil
+				},
+			}

-			resp := mockWriter.GetLastResponse()
-			require.NotNil(t, resp, "Expected response to be written")
-			assert.Equal(t, tt.expectedCode, resp.Rcode, tt.description)
+			resp := forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, query)
+
+			// If a response was returned, it means it should be written (happens in wrapper functions)
+			if resp != nil && writtenResp == nil {
+				writtenResp = resp
+			}
+
+			require.NotNil(t, writtenResp, "Expected response to be written")
+			assert.Equal(t, tt.expectedCode, writtenResp.Rcode, tt.description)

 			if tt.expectNoAnswer {
-				assert.Empty(t, resp.Answer, "Response should have no answer records")
+				assert.Empty(t, writtenResp.Answer, "Response should have no answer records")
 			}

 			mockResolver.AssertExpectations(t)
@@ -926,8 +931,15 @@ func TestDNSForwarder_EmptyQuery(t *testing.T) {
 	query := &dns.Msg{}
 	// Don't set any question

-	mockWriter := &test.MockResponseWriter{}
-	forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, query, time.Now())
+	writeCalled := false
+	mockWriter := &test.MockResponseWriter{
+		WriteMsgFunc: func(m *dns.Msg) error {
+			writeCalled = true
+			return nil
+		},
+	}
+	resp := forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, query)

-	assert.Nil(t, mockWriter.GetLastResponse(), "Should not write response for empty query")
+	assert.Nil(t, resp, "Should return nil for empty query")
+	assert.False(t, writeCalled, "Should not write response for empty query")
 }
--- a/client/internal/engine.go
+++ b/client/internal/engine.go
@@ -44,6 +44,7 @@ import (
 	icemaker "github.com/netbirdio/netbird/client/internal/peer/ice"
 	"github.com/netbirdio/netbird/client/internal/peerstore"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
+	"github.com/netbirdio/netbird/client/internal/proxy"
 	"github.com/netbirdio/netbird/client/internal/relay"
 	"github.com/netbirdio/netbird/client/internal/rosenpass"
 	"github.com/netbirdio/netbird/client/internal/routemanager"
@@ -140,6 +141,11 @@ type EngineConfig struct {
 	ProfileConfig *profilemanager.Config

 	LogPath string
+
+	// ProxyConfig contains system proxy settings for macOS
+	ProxyEnabled bool
+	ProxyHost    string
+	ProxyPort    int
 }

 // Engine is a mechanism responsible for reacting on Signal and Management stream events and managing connections to the remote peers.
@@ -223,6 +229,9 @@ type Engine struct {

 	jobExecutor   *jobexec.Executor
 	jobExecutorWG sync.WaitGroup
+
+	// proxyManager manages system-wide browser proxy settings on macOS
+	proxyManager *proxy.Manager
 }

 // Peer is an instance of the Connection Peer
@@ -313,6 +322,12 @@ func (e *Engine) Stop() error {
 		e.updateManager.Stop()
 	}

+	if e.proxyManager != nil {
+		if err := e.proxyManager.DisableWebProxy(); err != nil {
+			log.Warnf("failed to disable system proxy: %v", err)
+		}
+	}
+
 	log.Info("cleaning up status recorder states")
 	e.statusRecorder.ReplaceOfflinePeers([]peer.State{})
 	e.statusRecorder.UpdateDNSStates([]peer.NSGroupState{})
@@ -448,6 +463,10 @@ func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL)
 	}
 	e.stateManager.Start()

+	// Initialize proxy manager and register state for cleanup
+	proxy.RegisterState(e.stateManager)
+	e.proxyManager = proxy.NewManager(e.stateManager)
+
 	initialRoutes, dnsConfig, dnsFeatureFlag, err := e.readInitialSettings()
 	if err != nil {
 		e.close()
@@ -828,10 +847,6 @@ func (e *Engine) handleAutoUpdateVersion(autoUpdateSettings *mgmProto.AutoUpdate
 }

 func (e *Engine) handleSync(update *mgmProto.SyncResponse) error {
-	started := time.Now()
-	defer func() {
-		log.Infof("sync finished in %s", time.Since(started))
-	}()
 	e.syncMsgMux.Lock()
 	defer e.syncMsgMux.Unlock()

@@ -1021,7 +1036,7 @@ func (e *Engine) updateConfig(conf *mgmProto.PeerConfig) error {
 	state := e.statusRecorder.GetLocalPeerState()
 	state.IP = e.wgInterface.Address().String()
 	state.PubKey = e.config.WgPrivateKey.PublicKey().String()
-	state.KernelInterface = !e.wgInterface.IsUserspaceBind()
+	state.KernelInterface = device.WireGuardModuleIsLoaded()
 	state.FQDN = conf.GetFqdn()

 	e.statusRecorder.UpdateLocalPeerState(state)
@@ -1316,6 +1331,9 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 	// If no server of a server group responds this will disable the respective handler and retry later.
 	e.dnsServer.ProbeAvailability()

+	// Update system proxy state based on routes after network map is fully applied
+	e.updateSystemProxy(clientRoutes)
+
 	return nil
 }

@@ -2307,6 +2325,26 @@ func createFile(path string) error {
 	return file.Close()
 }

+// updateSystemProxy triggers a proxy enable/disable cycle after the network map is updated.
+func (e *Engine) updateSystemProxy(clientRoutes route.HAMap) {
+	if runtime.GOOS != "darwin" || e.proxyManager == nil {
+		log.Errorf("not updating proxy")
+		return
+	}
+
+	if err := e.proxyManager.EnableWebProxy(e.config.ProxyHost, e.config.ProxyPort); err != nil {
+		log.Errorf("enable system proxy: %v", err)
+		return
+	}
+	log.Error("system proxy enabled after network map update")
+
+	if err := e.proxyManager.DisableWebProxy(); err != nil {
+		log.Errorf("disable system proxy: %v", err)
+		return
+	}
+	log.Error("system proxy disabled after network map update")
+}
+
 func convertToOfferAnswer(msg *sProto.Message) (*peer.OfferAnswer, error) {
 	remoteCred, err := signal.UnMarshalCredential(msg)
 	if err != nil {
--- a/client/internal/engine_ssh.go
+++ b/client/internal/engine_ssh.go
@@ -10,7 +10,6 @@ import (
 	log "github.com/sirupsen/logrus"

 	firewallManager "github.com/netbirdio/netbird/client/firewall/manager"
-	"github.com/netbirdio/netbird/client/iface/netstack"
 	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
 	sshauth "github.com/netbirdio/netbird/client/ssh/auth"
 	sshconfig "github.com/netbirdio/netbird/client/ssh/config"
@@ -95,10 +94,6 @@ func (e *Engine) updateSSH(sshConf *mgmProto.SSHConfig) error {

 // updateSSHClientConfig updates the SSH client configuration with peer information
 func (e *Engine) updateSSHClientConfig(remotePeers []*mgmProto.RemotePeerConfig) error {
-	if netstack.IsEnabled() {
-		return nil
-	}
-
 	peerInfo := e.extractPeerSSHInfo(remotePeers)
 	if len(peerInfo) == 0 {
 		log.Debug("no SSH-enabled peers found, skipping SSH config update")
@@ -221,10 +216,6 @@ func (e *Engine) GetPeerSSHKey(peerAddress string) ([]byte, bool) {

 // cleanupSSHConfig removes NetBird SSH client configuration on shutdown
 func (e *Engine) cleanupSSHConfig() {
-	if netstack.IsEnabled() {
-		return
-	}
-
 	configMgr := sshconfig.New()

 	if err := configMgr.RemoveSSHClientConfig(); err != nil {
--- a/client/internal/lazyconn/activity/manager.go
+++ b/client/internal/lazyconn/activity/manager.go
@@ -11,7 +11,6 @@ import (
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"

-	"github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/internal/lazyconn"
 	peerid "github.com/netbirdio/netbird/client/internal/peer/id"
@@ -75,13 +74,12 @@ func (m *Manager) createListener(peerCfg lazyconn.PeerConfig) (listener, error)
 		return NewUDPListener(m.wgIface, peerCfg)
 	}

-	// BindListener is used on Windows, JS, and netstack platforms:
+	// BindListener is only used on Windows and JS platforms:
 	// - JS: Cannot listen to UDP sockets
 	// - Windows: IP_UNICAST_IF socket option forces packets out the interface the default
 	//   gateway points to, preventing them from reaching the loopback interface.
-	// - Netstack: Allows multiple instances on the same host without port conflicts.
-	// BindListener bypasses these issues by passing data directly through the bind.
-	if runtime.GOOS != "windows" && runtime.GOOS != "js" && !netstack.IsEnabled() {
+	//   BindListener bypasses this by passing data directly through the bind.
+	if runtime.GOOS != "windows" && runtime.GOOS != "js" {
 		return NewUDPListener(m.wgIface, peerCfg)
 	}

--- a/client/internal/peer/ice/agent.go
+++ b/client/internal/peer/ice/agent.go
@@ -2,7 +2,6 @@ package ice

 import (
 	"context"
-	"fmt"
 	"sync"
 	"time"

@@ -33,6 +32,24 @@ type ThreadSafeAgent struct {
 	once sync.Once
 }

+func (a *ThreadSafeAgent) Close() error {
+	var err error
+	a.once.Do(func() {
+		done := make(chan error, 1)
+		go func() {
+			done <- a.Agent.Close()
+		}()
+
+		select {
+		case err = <-done:
+		case <-time.After(iceAgentCloseTimeout):
+			log.Warnf("ICE agent close timed out after %v, proceeding with cleanup", iceAgentCloseTimeout)
+			err = nil
+		}
+	})
+	return err
+}
+
 func NewAgent(ctx context.Context, iFaceDiscover stdnet.ExternalIFaceDiscover, config Config, candidateTypes []ice.CandidateType, ufrag string, pwd string) (*ThreadSafeAgent, error) {
 	iceKeepAlive := iceKeepAlive()
 	iceDisconnectedTimeout := iceDisconnectedTimeout()
@@ -76,41 +93,9 @@ func NewAgent(ctx context.Context, iFaceDiscover stdnet.ExternalIFaceDiscover, c
 		return nil, err
 	}

-	if agent == nil {
-		return nil, fmt.Errorf("ice.NewAgent returned nil agent without error")
-	}
-
 	return &ThreadSafeAgent{Agent: agent}, nil
 }

-func (a *ThreadSafeAgent) Close() error {
-	var err error
-	a.once.Do(func() {
-		// Defensive check to prevent nil pointer dereference
-		// This can happen during sleep/wake transitions or memory corruption scenarios
-		// github.com/netbirdio/netbird/client/internal/peer/ice.(*ThreadSafeAgent).Close(0x40006883f0?)
-		//  [signal 0xc0000005 code=0x0 addr=0x0 pc=0x7ff7e73af83c]
-		agent := a.Agent
-		if agent == nil {
-			log.Warnf("ICE agent is nil during close, skipping")
-			return
-		}
-
-		done := make(chan error, 1)
-		go func() {
-			done <- agent.Close()
-		}()
-
-		select {
-		case err = <-done:
-		case <-time.After(iceAgentCloseTimeout):
-			log.Warnf("ICE agent close timed out after %v, proceeding with cleanup", iceAgentCloseTimeout)
-			err = nil
-		}
-	})
-	return err
-}
-
 func GenerateICECredentials() (string, string, error) {
 	ufrag, err := randutil.GenerateCryptoRandomString(lenUFrag, runesAlpha)
 	if err != nil {
--- a/client/internal/peer/worker_ice.go
+++ b/client/internal/peer/worker_ice.go
@@ -107,10 +107,8 @@ func (w *WorkerICE) OnNewOffer(remoteOfferAnswer *OfferAnswer) {
 		}
 		w.log.Debugf("agent already exists, recreate the connection")
 		w.agentDialerCancel()
-		if w.agent != nil {
-			if err := w.agent.Close(); err != nil {
-				w.log.Warnf("failed to close ICE agent: %s", err)
-			}
+		if err := w.agent.Close(); err != nil {
+			w.log.Warnf("failed to close ICE agent: %s", err)
 		}

 		sessionID, err := NewICESessionID()
--- a/client/internal/profilemanager/config.go
+++ b/client/internal/profilemanager/config.go
@@ -252,7 +252,7 @@ func (config *Config) apply(input ConfigInput) (updated bool, err error) {
 	}

 	if config.AdminURL == nil {
-		log.Infof("using default Admin URL %s", DefaultAdminURL)
+		log.Infof("using default Admin URL %s", DefaultManagementURL)
 		config.AdminURL, err = parseURL("Admin URL", DefaultAdminURL)
 		if err != nil {
 			return false, err
--- a/client/internal/proxy/manager_darwin.go
+++ b/client/internal/proxy/manager_darwin.go
@@ -0,0 +1,262 @@
+//go:build darwin && !ios
+
+package proxy
+
+import (
+	"fmt"
+	"os/exec"
+	"strings"
+	"sync"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/internal/statemanager"
+)
+
+const networksetupPath = "/usr/sbin/networksetup"
+
+// Manager handles system-wide proxy configuration on macOS.
+type Manager struct {
+	mu               sync.Mutex
+	stateManager     *statemanager.Manager
+	modifiedServices []string
+	enabled          bool
+}
+
+// NewManager creates a new proxy manager.
+func NewManager(stateManager *statemanager.Manager) *Manager {
+	return &Manager{
+		stateManager: stateManager,
+	}
+}
+
+// GetActiveNetworkServices returns the list of active network services.
+func GetActiveNetworkServices() ([]string, error) {
+	cmd := exec.Command(networksetupPath, "-listallnetworkservices")
+	out, err := cmd.Output()
+	if err != nil {
+		return nil, fmt.Errorf("list network services: %w", err)
+	}
+
+	lines := strings.Split(string(out), "\n")
+	var services []string
+	for _, line := range lines {
+		line = strings.TrimSpace(line)
+		if line == "" || strings.HasPrefix(line, "*") || strings.Contains(line, "asterisk") {
+			continue
+		}
+		services = append(services, line)
+	}
+	return services, nil
+}
+
+// EnableWebProxy enables web proxy for all active network services.
+func (m *Manager) EnableWebProxy(host string, port int) error {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	if m.enabled {
+		log.Debug("web proxy already enabled")
+		return nil
+	}
+
+	services, err := GetActiveNetworkServices()
+	if err != nil {
+		return err
+	}
+
+	var modifiedServices []string
+	for _, service := range services {
+		if err := m.enableProxyForService(service, host, port); err != nil {
+			log.Warnf("enable proxy for %s: %v", service, err)
+			continue
+		}
+		modifiedServices = append(modifiedServices, service)
+	}
+
+	m.modifiedServices = modifiedServices
+	m.enabled = true
+	m.updateState()
+
+	log.Infof("enabled web proxy on %d services -> %s:%d", len(modifiedServices), host, port)
+	return nil
+}
+
+func (m *Manager) enableProxyForService(service, host string, port int) error {
+	portStr := fmt.Sprintf("%d", port)
+
+	// Set web proxy (HTTP)
+	cmd := exec.Command(networksetupPath, "-setwebproxy", service, host, portStr)
+	if out, err := cmd.CombinedOutput(); err != nil {
+		return fmt.Errorf("set web proxy: %w, output: %s", err, out)
+	}
+
+	// Enable web proxy
+	cmd = exec.Command(networksetupPath, "-setwebproxystate", service, "on")
+	if out, err := cmd.CombinedOutput(); err != nil {
+		return fmt.Errorf("enable web proxy state: %w, output: %s", err, out)
+	}
+
+	// Set secure web proxy (HTTPS)
+	cmd = exec.Command(networksetupPath, "-setsecurewebproxy", service, host, portStr)
+	if out, err := cmd.CombinedOutput(); err != nil {
+		return fmt.Errorf("set secure web proxy: %w, output: %s", err, out)
+	}
+
+	// Enable secure web proxy
+	cmd = exec.Command(networksetupPath, "-setsecurewebproxystate", service, "on")
+	if out, err := cmd.CombinedOutput(); err != nil {
+		return fmt.Errorf("enable secure web proxy state: %w, output: %s", err, out)
+	}
+
+	log.Debugf("enabled proxy for service %s", service)
+	return nil
+}
+
+// DisableWebProxy disables web proxy for all modified network services.
+func (m *Manager) DisableWebProxy() error {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	if !m.enabled {
+		log.Debug("web proxy already disabled")
+		return nil
+	}
+
+	services := m.modifiedServices
+	if len(services) == 0 {
+		services, _ = GetActiveNetworkServices()
+	}
+
+	for _, service := range services {
+		if err := m.disableProxyForService(service); err != nil {
+			log.Warnf("disable proxy for %s: %v", service, err)
+		}
+	}
+
+	m.modifiedServices = nil
+	m.enabled = false
+	m.updateState()
+
+	log.Info("disabled web proxy")
+	return nil
+}
+
+func (m *Manager) disableProxyForService(service string) error {
+	// Disable web proxy (HTTP)
+	cmd := exec.Command(networksetupPath, "-setwebproxystate", service, "off")
+	if out, err := cmd.CombinedOutput(); err != nil {
+		return fmt.Errorf("disable web proxy: %w, output: %s", err, out)
+	}
+
+	// Disable secure web proxy (HTTPS)
+	cmd = exec.Command(networksetupPath, "-setsecurewebproxystate", service, "off")
+	if out, err := cmd.CombinedOutput(); err != nil {
+		return fmt.Errorf("disable secure web proxy: %w, output: %s", err, out)
+	}
+
+	log.Debugf("disabled proxy for service %s", service)
+	return nil
+}
+
+// SetAutoproxyURL sets the automatic proxy configuration URL (PAC file).
+func (m *Manager) SetAutoproxyURL(pacURL string) error {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	services, err := GetActiveNetworkServices()
+	if err != nil {
+		return err
+	}
+
+	var modifiedServices []string
+	for _, service := range services {
+		cmd := exec.Command(networksetupPath, "-setautoproxyurl", service, pacURL)
+		if out, err := cmd.CombinedOutput(); err != nil {
+			log.Warnf("set autoproxy for %s: %v, output: %s", service, err, out)
+			continue
+		}
+
+		cmd = exec.Command(networksetupPath, "-setautoproxystate", service, "on")
+		if out, err := cmd.CombinedOutput(); err != nil {
+			log.Warnf("enable autoproxy for %s: %v, output: %s", service, err, out)
+			continue
+		}
+
+		modifiedServices = append(modifiedServices, service)
+		log.Debugf("set autoproxy URL for %s -> %s", service, pacURL)
+	}
+
+	m.modifiedServices = modifiedServices
+	m.enabled = true
+	m.updateState()
+
+	return nil
+}
+
+// DisableAutoproxy disables automatic proxy configuration.
+func (m *Manager) DisableAutoproxy() error {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	services := m.modifiedServices
+	if len(services) == 0 {
+		services, _ = GetActiveNetworkServices()
+	}
+
+	for _, service := range services {
+		cmd := exec.Command(networksetupPath, "-setautoproxystate", service, "off")
+		if out, err := cmd.CombinedOutput(); err != nil {
+			log.Warnf("disable autoproxy for %s: %v, output: %s", service, err, out)
+		}
+	}
+
+	m.modifiedServices = nil
+	m.enabled = false
+	m.updateState()
+
+	return nil
+}
+
+// IsEnabled returns whether the proxy is currently enabled.
+func (m *Manager) IsEnabled() bool {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	return m.enabled
+}
+
+// Restore restores proxy settings from a previous state.
+func (m *Manager) Restore(services []string) error {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	for _, service := range services {
+		if err := m.disableProxyForService(service); err != nil {
+			log.Warnf("restore proxy for %s: %v", service, err)
+		}
+	}
+
+	m.modifiedServices = nil
+	m.enabled = false
+
+	return nil
+}
+
+func (m *Manager) updateState() {
+	if m.stateManager == nil {
+		return
+	}
+
+	if m.enabled && len(m.modifiedServices) > 0 {
+		state := &ShutdownState{
+			ModifiedServices: m.modifiedServices,
+		}
+		if err := m.stateManager.UpdateState(state); err != nil {
+			log.Errorf("update proxy state: %v", err)
+		}
+	} else {
+		if err := m.stateManager.DeleteState(&ShutdownState{}); err != nil {
+			log.Debugf("delete proxy state: %v", err)
+		}
+	}
+}
--- a/client/internal/proxy/manager_other.go
+++ b/client/internal/proxy/manager_other.go
@@ -0,0 +1,45 @@
+//go:build !darwin || ios
+
+package proxy
+
+import (
+	"github.com/netbirdio/netbird/client/internal/statemanager"
+)
+
+// Manager is a no-op proxy manager for non-macOS platforms.
+type Manager struct{}
+
+// NewManager creates a new proxy manager (no-op on non-macOS).
+func NewManager(_ *statemanager.Manager) *Manager {
+	return &Manager{}
+}
+
+// EnableWebProxy is a no-op on non-macOS platforms.
+func (m *Manager) EnableWebProxy(host string, port int) error {
+	return nil
+}
+
+// DisableWebProxy is a no-op on non-macOS platforms.
+func (m *Manager) DisableWebProxy() error {
+	return nil
+}
+
+// SetAutoproxyURL is a no-op on non-macOS platforms.
+func (m *Manager) SetAutoproxyURL(pacURL string) error {
+	return nil
+}
+
+// DisableAutoproxy is a no-op on non-macOS platforms.
+func (m *Manager) DisableAutoproxy() error {
+	return nil
+}
+
+// IsEnabled always returns false on non-macOS platforms.
+func (m *Manager) IsEnabled() bool {
+	return false
+}
+
+// Restore is a no-op on non-macOS platforms.
+func (m *Manager) Restore(services []string) error {
+	return nil
+}
--- a/client/internal/proxy/manager_test.go
+++ b/client/internal/proxy/manager_test.go
@@ -0,0 +1,88 @@
+//go:build darwin && !ios
+
+package proxy
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetActiveNetworkServices(t *testing.T) {
+	services, err := GetActiveNetworkServices()
+	assert.NoError(t, err)
+	assert.NotEmpty(t, services, "should have at least one network service")
+
+	// Check that services don't contain invalid entries
+	for _, service := range services {
+		assert.NotEmpty(t, service)
+		assert.NotContains(t, service, "*")
+	}
+}
+
+func TestManager_EnableDisableWebProxy(t *testing.T) {
+	// Skip this test in CI as it requires admin privileges
+	if testing.Short() {
+		t.Skip("skipping proxy test in short mode")
+	}
+
+	m := NewManager(nil)
+	assert.NotNil(t, m)
+	assert.False(t, m.IsEnabled())
+
+	// This test would require admin privileges to actually enable the proxy
+	// So we just test the basic state management
+}
+
+func TestShutdownState_Name(t *testing.T) {
+	state := &ShutdownState{}
+	assert.Equal(t, "proxy_state", state.Name())
+}
+
+func TestShutdownState_Cleanup_EmptyServices(t *testing.T) {
+	state := &ShutdownState{
+		ModifiedServices: []string{},
+	}
+	err := state.Cleanup()
+	assert.NoError(t, err)
+}
+
+func TestContains(t *testing.T) {
+	tests := []struct {
+		s      string
+		substr string
+		want   bool
+	}{
+		{"Enabled: Yes", "Enabled: Yes", true},
+		{"Enabled: No", "Enabled: Yes", false},
+		{"Server: 127.0.0.1\nEnabled: Yes\nPort: 8080", "Enabled: Yes", true},
+		{"", "Enabled: Yes", false},
+		{"Enabled: Yes", "", true},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.s+"_"+tt.substr, func(t *testing.T) {
+			got := contains(tt.s, tt.substr)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
+
+func TestIsProxyEnabled(t *testing.T) {
+	tests := []struct {
+		output string
+		want   bool
+	}{
+		{"Enabled: Yes\nServer: 127.0.0.1\nPort: 8080", true},
+		{"Enabled: No\nServer: \nPort: 0", false},
+		{"Server: 127.0.0.1\nEnabled: Yes\nPort: 8080", true},
+		{"", false},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.output, func(t *testing.T) {
+			got := isProxyEnabled(tt.output)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
--- a/client/internal/proxy/state_darwin.go
+++ b/client/internal/proxy/state_darwin.go
@@ -0,0 +1,105 @@
+//go:build darwin && !ios
+
+package proxy
+
+import (
+	"fmt"
+	"os/exec"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/internal/statemanager"
+)
+
+// ShutdownState stores proxy state for cleanup on unclean shutdown.
+type ShutdownState struct {
+	ModifiedServices []string `json:"modified_services"`
+}
+
+// Name returns the state name for persistence.
+func (s *ShutdownState) Name() string {
+	return "proxy_state"
+}
+
+// Cleanup restores proxy settings after an unclean shutdown.
+func (s *ShutdownState) Cleanup() error {
+	if len(s.ModifiedServices) == 0 {
+		return nil
+	}
+
+	log.Infof("cleaning up proxy state for %d services", len(s.ModifiedServices))
+
+	for _, service := range s.ModifiedServices {
+		// Disable web proxy (HTTP)
+		cmd := exec.Command(networksetupPath, "-setwebproxystate", service, "off")
+		if out, err := cmd.CombinedOutput(); err != nil {
+			log.Warnf("cleanup web proxy for %s: %v, output: %s", service, err, out)
+		}
+
+		// Disable secure web proxy (HTTPS)
+		cmd = exec.Command(networksetupPath, "-setsecurewebproxystate", service, "off")
+		if out, err := cmd.CombinedOutput(); err != nil {
+			log.Warnf("cleanup secure web proxy for %s: %v, output: %s", service, err, out)
+		}
+
+		// Disable autoproxy
+		cmd = exec.Command(networksetupPath, "-setautoproxystate", service, "off")
+		if out, err := cmd.CombinedOutput(); err != nil {
+			log.Warnf("cleanup autoproxy for %s: %v, output: %s", service, err, out)
+		}
+
+		log.Debugf("cleaned up proxy for service %s", service)
+	}
+
+	return nil
+}
+
+// RegisterState registers the proxy state with the state manager.
+func RegisterState(stateManager *statemanager.Manager) {
+	if stateManager == nil {
+		return
+	}
+	stateManager.RegisterState(&ShutdownState{})
+}
+
+// GetProxyState returns the current proxy state from the command line.
+func GetProxyState(service string) (webProxy, secureProxy, autoProxy bool, err error) {
+	// Check web proxy state
+	cmd := exec.Command(networksetupPath, "-getwebproxy", service)
+	out, err := cmd.Output()
+	if err != nil {
+		return false, false, false, fmt.Errorf("get web proxy: %w", err)
+	}
+	webProxy = isProxyEnabled(string(out))
+
+	// Check secure web proxy state
+	cmd = exec.Command(networksetupPath, "-getsecurewebproxy", service)
+	out, err = cmd.Output()
+	if err != nil {
+		return false, false, false, fmt.Errorf("get secure web proxy: %w", err)
+	}
+	secureProxy = isProxyEnabled(string(out))
+
+	// Check autoproxy state
+	cmd = exec.Command(networksetupPath, "-getautoproxyurl", service)
+	out, err = cmd.Output()
+	if err != nil {
+		return false, false, false, fmt.Errorf("get autoproxy: %w", err)
+	}
+	autoProxy = isProxyEnabled(string(out))
+
+	return webProxy, secureProxy, autoProxy, nil
+}
+
+func isProxyEnabled(output string) bool {
+	return !contains(output, "Enabled: No") && contains(output, "Enabled: Yes")
+}
+
+func contains(s, substr string) bool {
+	for i := 0; i <= len(s)-len(substr); i++ {
+		if s[i:i+len(substr)] == substr {
+			return true
+		}
+	}
+	return false
+}
--- a/client/internal/proxy/state_other.go
+++ b/client/internal/proxy/state_other.go
@@ -0,0 +1,24 @@
+//go:build !darwin || ios
+
+package proxy
+
+import (
+	"github.com/netbirdio/netbird/client/internal/statemanager"
+)
+
+// ShutdownState is a no-op state for non-macOS platforms.
+type ShutdownState struct{}
+
+// Name returns the state name.
+func (s *ShutdownState) Name() string {
+	return "proxy_state"
+}
+
+// Cleanup is a no-op on non-macOS platforms.
+func (s *ShutdownState) Cleanup() error {
+	return nil
+}
+
+// RegisterState is a no-op on non-macOS platforms.
+func RegisterState(stateManager *statemanager.Manager) {
+}
--- a/client/internal/routemanager/manager.go
+++ b/client/internal/routemanager/manager.go
@@ -173,21 +173,12 @@ func (m *DefaultManager) setupAndroidRoutes(config ManagerConfig) {
 }

 func (m *DefaultManager) setupRefCounters(useNoop bool) {
-	var once sync.Once
-	var wgIface *net.Interface
-	toInterface := func() *net.Interface {
-		once.Do(func() {
-			wgIface = m.wgInterface.ToInterface()
-		})
-		return wgIface
-	}
-
 	m.routeRefCounter = refcounter.New(
 		func(prefix netip.Prefix, _ struct{}) (struct{}, error) {
-			return struct{}{}, m.sysOps.AddVPNRoute(prefix, toInterface())
+			return struct{}{}, m.sysOps.AddVPNRoute(prefix, m.wgInterface.ToInterface())
 		},
 		func(prefix netip.Prefix, _ struct{}) error {
-			return m.sysOps.RemoveVPNRoute(prefix, toInterface())
+			return m.sysOps.RemoveVPNRoute(prefix, m.wgInterface.ToInterface())
 		},
 	)

--- a/client/internal/routemanager/systemops/routeflags_bsd.go
+++ b/client/internal/routemanager/systemops/routeflags_bsd.go
@@ -4,17 +4,16 @@ package systemops

 import (
 	"strings"
-
-	"golang.org/x/sys/unix"
+	"syscall"
 )

 // filterRoutesByFlags returns true if the route message should be ignored based on its flags.
 func filterRoutesByFlags(routeMessageFlags int) bool {
-	if routeMessageFlags&unix.RTF_UP == 0 {
+	if routeMessageFlags&syscall.RTF_UP == 0 {
 		return true
 	}

-	if routeMessageFlags&(unix.RTF_REJECT|unix.RTF_BLACKHOLE|unix.RTF_WASCLONED) != 0 {
+	if routeMessageFlags&(syscall.RTF_REJECT|syscall.RTF_BLACKHOLE|syscall.RTF_WASCLONED) != 0 {
 		return true
 	}

@@ -25,51 +24,42 @@ func filterRoutesByFlags(routeMessageFlags int) bool {
 func formatBSDFlags(flags int) string {
 	var flagStrs []string

-	if flags&unix.RTF_UP != 0 {
+	if flags&syscall.RTF_UP != 0 {
 		flagStrs = append(flagStrs, "U")
 	}
-	if flags&unix.RTF_GATEWAY != 0 {
+	if flags&syscall.RTF_GATEWAY != 0 {
 		flagStrs = append(flagStrs, "G")
 	}
-	if flags&unix.RTF_HOST != 0 {
+	if flags&syscall.RTF_HOST != 0 {
 		flagStrs = append(flagStrs, "H")
 	}
-	if flags&unix.RTF_REJECT != 0 {
+	if flags&syscall.RTF_REJECT != 0 {
 		flagStrs = append(flagStrs, "R")
 	}
-	if flags&unix.RTF_DYNAMIC != 0 {
+	if flags&syscall.RTF_DYNAMIC != 0 {
 		flagStrs = append(flagStrs, "D")
 	}
-	if flags&unix.RTF_MODIFIED != 0 {
+	if flags&syscall.RTF_MODIFIED != 0 {
 		flagStrs = append(flagStrs, "M")
 	}
-	if flags&unix.RTF_STATIC != 0 {
+	if flags&syscall.RTF_STATIC != 0 {
 		flagStrs = append(flagStrs, "S")
 	}
-	if flags&unix.RTF_LLINFO != 0 {
+	if flags&syscall.RTF_LLINFO != 0 {
 		flagStrs = append(flagStrs, "L")
 	}
-	if flags&unix.RTF_LOCAL != 0 {
+	if flags&syscall.RTF_LOCAL != 0 {
 		flagStrs = append(flagStrs, "l")
 	}
-	if flags&unix.RTF_BLACKHOLE != 0 {
+	if flags&syscall.RTF_BLACKHOLE != 0 {
 		flagStrs = append(flagStrs, "B")
 	}
-	if flags&unix.RTF_CLONING != 0 {
+	if flags&syscall.RTF_CLONING != 0 {
 		flagStrs = append(flagStrs, "C")
 	}
-	if flags&unix.RTF_WASCLONED != 0 {
+	if flags&syscall.RTF_WASCLONED != 0 {
 		flagStrs = append(flagStrs, "W")
 	}
-	if flags&unix.RTF_PROTO1 != 0 {
-		flagStrs = append(flagStrs, "1")
-	}
-	if flags&unix.RTF_PROTO2 != 0 {
-		flagStrs = append(flagStrs, "2")
-	}
-	if flags&unix.RTF_PROTO3 != 0 {
-		flagStrs = append(flagStrs, "3")
-	}

 	if len(flagStrs) == 0 {
 		return "-"
--- a/client/internal/routemanager/systemops/routeflags_freebsd.go
+++ b/client/internal/routemanager/systemops/routeflags_freebsd.go
@@ -4,18 +4,17 @@ package systemops

 import (
 	"strings"
-
-	"golang.org/x/sys/unix"
+	"syscall"
 )

 // filterRoutesByFlags returns true if the route message should be ignored based on its flags.
 func filterRoutesByFlags(routeMessageFlags int) bool {
-	if routeMessageFlags&unix.RTF_UP == 0 {
+	if routeMessageFlags&syscall.RTF_UP == 0 {
 		return true
 	}

-	// NOTE: RTF_WASCLONED deprecated in FreeBSD 8.0
-	if routeMessageFlags&(unix.RTF_REJECT|unix.RTF_BLACKHOLE) != 0 {
+	// NOTE: syscall.RTF_WASCLONED deprecated in FreeBSD 8.0
+	if routeMessageFlags&(syscall.RTF_REJECT|syscall.RTF_BLACKHOLE) != 0 {
 		return true
 	}

@@ -26,46 +25,37 @@ func filterRoutesByFlags(routeMessageFlags int) bool {
 func formatBSDFlags(flags int) string {
 	var flagStrs []string

-	if flags&unix.RTF_UP != 0 {
+	if flags&syscall.RTF_UP != 0 {
 		flagStrs = append(flagStrs, "U")
 	}
-	if flags&unix.RTF_GATEWAY != 0 {
+	if flags&syscall.RTF_GATEWAY != 0 {
 		flagStrs = append(flagStrs, "G")
 	}
-	if flags&unix.RTF_HOST != 0 {
+	if flags&syscall.RTF_HOST != 0 {
 		flagStrs = append(flagStrs, "H")
 	}
-	if flags&unix.RTF_REJECT != 0 {
+	if flags&syscall.RTF_REJECT != 0 {
 		flagStrs = append(flagStrs, "R")
 	}
-	if flags&unix.RTF_DYNAMIC != 0 {
+	if flags&syscall.RTF_DYNAMIC != 0 {
 		flagStrs = append(flagStrs, "D")
 	}
-	if flags&unix.RTF_MODIFIED != 0 {
+	if flags&syscall.RTF_MODIFIED != 0 {
 		flagStrs = append(flagStrs, "M")
 	}
-	if flags&unix.RTF_STATIC != 0 {
+	if flags&syscall.RTF_STATIC != 0 {
 		flagStrs = append(flagStrs, "S")
 	}
-	if flags&unix.RTF_LLINFO != 0 {
+	if flags&syscall.RTF_LLINFO != 0 {
 		flagStrs = append(flagStrs, "L")
 	}
-	if flags&unix.RTF_LOCAL != 0 {
+	if flags&syscall.RTF_LOCAL != 0 {
 		flagStrs = append(flagStrs, "l")
 	}
-	if flags&unix.RTF_BLACKHOLE != 0 {
+	if flags&syscall.RTF_BLACKHOLE != 0 {
 		flagStrs = append(flagStrs, "B")
 	}
 	// Note: RTF_CLONING and RTF_WASCLONED deprecated in FreeBSD 8.0
-	if flags&unix.RTF_PROTO1 != 0 {
-		flagStrs = append(flagStrs, "1")
-	}
-	if flags&unix.RTF_PROTO2 != 0 {
-		flagStrs = append(flagStrs, "2")
-	}
-	if flags&unix.RTF_PROTO3 != 0 {
-		flagStrs = append(flagStrs, "3")
-	}

 	if len(flagStrs) == 0 {
 		return "-"
--- a/go.mod
+++ b/go.mod
@@ -42,7 +42,6 @@ require (
 	github.com/cilium/ebpf v0.15.0
 	github.com/coder/websocket v1.8.13
 	github.com/coreos/go-iptables v0.7.0
-	github.com/coreos/go-oidc/v3 v3.14.1
 	github.com/creack/pty v1.1.24
 	github.com/dexidp/dex v0.0.0-00010101000000-000000000000
 	github.com/dexidp/dex/api/v2 v2.4.0
@@ -168,6 +167,7 @@ require (
 	github.com/containerd/containerd v1.7.29 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/containerd/platforms v0.2.1 // indirect
+	github.com/coreos/go-oidc/v3 v3.14.1 // indirect
 	github.com/cpuguy83/dockercfg v0.3.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
--- a/idp/dex/connector.go
+++ b/idp/dex/connector.go
@@ -327,60 +327,6 @@ func ensureLocalConnector(ctx context.Context, stor storage.Storage) error {
 	return nil
 }

-// HasNonLocalConnectors checks if there are any connectors other than the local connector.
-func (p *Provider) HasNonLocalConnectors(ctx context.Context) (bool, error) {
-	connectors, err := p.storage.ListConnectors(ctx)
-	if err != nil {
-		return false, fmt.Errorf("failed to list connectors: %w", err)
-	}
-
-	p.logger.Info("checking for non-local connectors", "total_connectors", len(connectors))
-	for _, conn := range connectors {
-		p.logger.Info("found connector in storage", "id", conn.ID, "type", conn.Type, "name", conn.Name)
-		if conn.ID != "local" || conn.Type != "local" {
-			p.logger.Info("found non-local connector", "id", conn.ID)
-			return true, nil
-		}
-	}
-	p.logger.Info("no non-local connectors found")
-	return false, nil
-}
-
-// DisableLocalAuth removes the local (password) connector.
-// Returns an error if no other connectors are configured.
-func (p *Provider) DisableLocalAuth(ctx context.Context) error {
-	hasOthers, err := p.HasNonLocalConnectors(ctx)
-	if err != nil {
-		return err
-	}
-	if !hasOthers {
-		return fmt.Errorf("cannot disable local authentication: no other identity providers configured")
-	}
-
-	// Check if local connector exists
-	_, err = p.storage.GetConnector(ctx, "local")
-	if errors.Is(err, storage.ErrNotFound) {
-		// Already disabled
-		return nil
-	}
-	if err != nil {
-		return fmt.Errorf("failed to check local connector: %w", err)
-	}
-
-	// Delete the local connector
-	if err := p.storage.DeleteConnector(ctx, "local"); err != nil {
-		return fmt.Errorf("failed to delete local connector: %w", err)
-	}
-
-	p.logger.Info("local authentication disabled")
-	return nil
-}
-
-// EnableLocalAuth creates the local (password) connector if it doesn't exist.
-func (p *Provider) EnableLocalAuth(ctx context.Context) error {
-	return ensureLocalConnector(ctx, p.storage)
-}
-
 // ensureStaticConnectors creates or updates static connectors in storage
 func ensureStaticConnectors(ctx context.Context, stor storage.Storage, connectors []Connector) error {
 	for _, conn := range connectors {
--- a/management/cmd/management.go
+++ b/management/cmd/management.go
@@ -19,8 +19,6 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"

-	"github.com/netbirdio/netbird/management/server/types"
-
 	"github.com/netbirdio/netbird/formatter/hook"
 	"github.com/netbirdio/netbird/management/internals/server"
 	nbconfig "github.com/netbirdio/netbird/management/internals/server/config"
@@ -215,14 +213,11 @@ func applyEmbeddedIdPConfig(ctx context.Context, cfg *nbconfig.Config) error {
 	// Set HttpConfig values from EmbeddedIdP
 	cfg.HttpConfig.AuthIssuer = issuer
 	cfg.HttpConfig.AuthAudience = "netbird-dashboard"
-	cfg.HttpConfig.AuthClientID = cfg.HttpConfig.AuthAudience
 	cfg.HttpConfig.CLIAuthAudience = "netbird-cli"
 	cfg.HttpConfig.AuthUserIDClaim = "sub"
 	cfg.HttpConfig.AuthKeysLocation = issuer + "/keys"
 	cfg.HttpConfig.OIDCConfigEndpoint = issuer + "/.well-known/openid-configuration"
 	cfg.HttpConfig.IdpSignKeyRefreshEnabled = true
-	callbackURL := strings.TrimSuffix(cfg.HttpConfig.AuthIssuer, "/oauth2")
-	cfg.HttpConfig.AuthCallbackURL = callbackURL + types.ProxyCallbackEndpointFull

 	return nil
 }
--- a/management/cmd/root.go
+++ b/management/cmd/root.go
@@ -80,10 +80,4 @@ func init() {
 	migrationCmd.AddCommand(upCmd)

 	rootCmd.AddCommand(migrationCmd)
-
-	tokenCmd.PersistentFlags().StringVar(&nbconfig.MgmtConfigPath, "config", defaultMgmtConfig, "Netbird config file location")
-	tokenCmd.AddCommand(tokenCreateCmd)
-	tokenCmd.AddCommand(tokenListCmd)
-	tokenCmd.AddCommand(tokenRevokeCmd)
-	rootCmd.AddCommand(tokenCmd)
 }
--- a/management/cmd/token.go
+++ b/management/cmd/token.go
@@ -1,208 +0,0 @@
-package cmd
-
-import (
-	"context"
-	"fmt"
-	"os"
-	"strconv"
-	"text/tabwriter"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-
-	"github.com/netbirdio/netbird/formatter/hook"
-	nbconfig "github.com/netbirdio/netbird/management/internals/server/config"
-	"github.com/netbirdio/netbird/management/server/store"
-	"github.com/netbirdio/netbird/management/server/types"
-	"github.com/netbirdio/netbird/util"
-)
-
-var (
-	tokenName     string
-	tokenExpireIn string
-	tokenDatadir  string
-
-	tokenCmd = &cobra.Command{
-		Use:   "token",
-		Short: "Manage proxy access tokens",
-		Long:  "Commands for creating, listing, and revoking proxy access tokens used by reverse proxy instances to authenticate with the management server.",
-	}
-
-	tokenCreateCmd = &cobra.Command{
-		Use:   "create",
-		Short: "Create a new proxy access token",
-		Long:  "Creates a new proxy access token. The plain text token is displayed only once at creation time.",
-		RunE:  tokenCreateRun,
-	}
-
-	tokenListCmd = &cobra.Command{
-		Use:     "list",
-		Aliases: []string{"ls"},
-		Short:   "List all proxy access tokens",
-		Long:    "Lists all proxy access tokens with their IDs, names, creation dates, expiration, and revocation status.",
-		RunE:    tokenListRun,
-	}
-
-	tokenRevokeCmd = &cobra.Command{
-		Use:   "revoke [token-id]",
-		Short: "Revoke a proxy access token",
-		Long:  "Revokes a proxy access token by its ID. Revoked tokens can no longer be used for authentication.",
-		Args:  cobra.ExactArgs(1),
-		RunE:  tokenRevokeRun,
-	}
-)
-
-func init() {
-	tokenCmd.PersistentFlags().StringVar(&tokenDatadir, "datadir", "", "Override the data directory from config (where store.db is located)")
-
-	tokenCreateCmd.Flags().StringVar(&tokenName, "name", "", "Name for the token (required)")
-	tokenCreateCmd.Flags().StringVar(&tokenExpireIn, "expires-in", "", "Token expiration duration (e.g., 365d, 24h, 30d). Empty means no expiration")
-	tokenCreateCmd.MarkFlagRequired("name") //nolint
-}
-
-// withTokenStore initializes logging, loads config, opens the store, and calls fn.
-func withTokenStore(cmd *cobra.Command, fn func(ctx context.Context, s store.Store) error) error {
-	if err := util.InitLog("error", "console"); err != nil {
-		return fmt.Errorf("init log: %w", err)
-	}
-
-	ctx := context.WithValue(cmd.Context(), hook.ExecutionContextKey, hook.SystemSource)
-
-	config, err := loadMgmtConfig(ctx, nbconfig.MgmtConfigPath)
-	if err != nil {
-		return fmt.Errorf("load config: %w", err)
-	}
-
-	datadir := config.Datadir
-	if tokenDatadir != "" {
-		datadir = tokenDatadir
-	}
-
-	s, err := store.NewStore(ctx, config.StoreConfig.Engine, datadir, nil, true)
-	if err != nil {
-		return fmt.Errorf("create store: %w", err)
-	}
-	defer func() {
-		if err := s.Close(ctx); err != nil {
-			log.Debugf("close store: %v", err)
-		}
-	}()
-
-	return fn(ctx, s)
-}
-
-func tokenCreateRun(cmd *cobra.Command, _ []string) error {
-	return withTokenStore(cmd, func(ctx context.Context, s store.Store) error {
-		expiresIn, err := parseDuration(tokenExpireIn)
-		if err != nil {
-			return fmt.Errorf("parse expiration: %w", err)
-		}
-
-		generated, err := types.CreateNewProxyAccessToken(tokenName, expiresIn, nil, "CLI")
-		if err != nil {
-			return fmt.Errorf("generate token: %w", err)
-		}
-
-		if err := s.SaveProxyAccessToken(ctx, &generated.ProxyAccessToken); err != nil {
-			return fmt.Errorf("save token: %w", err)
-		}
-
-		fmt.Println("Token created successfully!")
-		fmt.Printf("Token: %s\n", generated.PlainToken)
-		fmt.Println()
-		fmt.Println("IMPORTANT: Save this token now. It will not be shown again.")
-		fmt.Printf("Token ID: %s\n", generated.ID)
-
-		return nil
-	})
-}
-
-func tokenListRun(cmd *cobra.Command, _ []string) error {
-	return withTokenStore(cmd, func(ctx context.Context, s store.Store) error {
-		tokens, err := s.GetAllProxyAccessTokens(ctx, store.LockingStrengthNone)
-		if err != nil {
-			return fmt.Errorf("list tokens: %w", err)
-		}
-
-		if len(tokens) == 0 {
-			fmt.Println("No proxy access tokens found.")
-			return nil
-		}
-
-		w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
-		fmt.Fprintln(w, "ID\tNAME\tCREATED\tEXPIRES\tLAST USED\tREVOKED")
-		fmt.Fprintln(w, "--\t----\t-------\t-------\t---------\t-------")
-
-		for _, t := range tokens {
-			expires := "never"
-			if t.ExpiresAt != nil {
-				expires = t.ExpiresAt.Format("2006-01-02")
-			}
-
-			lastUsed := "never"
-			if t.LastUsed != nil {
-				lastUsed = t.LastUsed.Format("2006-01-02 15:04")
-			}
-
-			revoked := "no"
-			if t.Revoked {
-				revoked = "yes"
-			}
-
-			fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%s\t%s\n",
-				t.ID,
-				t.Name,
-				t.CreatedAt.Format("2006-01-02"),
-				expires,
-				lastUsed,
-				revoked,
-			)
-		}
-
-		w.Flush()
-
-		return nil
-	})
-}
-
-func tokenRevokeRun(cmd *cobra.Command, args []string) error {
-	return withTokenStore(cmd, func(ctx context.Context, s store.Store) error {
-		tokenID := args[0]
-
-		if err := s.RevokeProxyAccessToken(ctx, tokenID); err != nil {
-			return fmt.Errorf("revoke token: %w", err)
-		}
-
-		fmt.Printf("Token %s revoked successfully.\n", tokenID)
-		return nil
-	})
-}
-
-// parseDuration parses a duration string with support for days (e.g., "30d", "365d").
-// An empty string returns zero duration (no expiration).
-func parseDuration(s string) (time.Duration, error) {
-	if len(s) == 0 {
-		return 0, nil
-	}
-
-	if s[len(s)-1] == 'd' {
-		d, err := strconv.Atoi(s[:len(s)-1])
-		if err != nil {
-			return 0, fmt.Errorf("invalid day format: %s", s)
-		}
-		if d <= 0 {
-			return 0, fmt.Errorf("duration must be positive: %s", s)
-		}
-		return time.Duration(d) * 24 * time.Hour, nil
-	}
-
-	d, err := time.ParseDuration(s)
-	if err != nil {
-		return 0, err
-	}
-	if d <= 0 {
-		return 0, fmt.Errorf("duration must be positive: %s", s)
-	}
-	return d, nil
-}
--- a/management/cmd/token_test.go
+++ b/management/cmd/token_test.go
@@ -1,101 +0,0 @@
-package cmd
-
-import (
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestParseDuration(t *testing.T) {
-	tests := []struct {
-		name     string
-		input    string
-		expected time.Duration
-		wantErr  bool
-	}{
-		{
-			name:     "empty string returns zero",
-			input:    "",
-			expected: 0,
-		},
-		{
-			name:     "days suffix",
-			input:    "30d",
-			expected: 30 * 24 * time.Hour,
-		},
-		{
-			name:     "one day",
-			input:    "1d",
-			expected: 24 * time.Hour,
-		},
-		{
-			name:     "365 days",
-			input:    "365d",
-			expected: 365 * 24 * time.Hour,
-		},
-		{
-			name:     "hours via Go duration",
-			input:    "24h",
-			expected: 24 * time.Hour,
-		},
-		{
-			name:     "minutes via Go duration",
-			input:    "30m",
-			expected: 30 * time.Minute,
-		},
-		{
-			name:     "complex Go duration",
-			input:    "1h30m",
-			expected: 90 * time.Minute,
-		},
-		{
-			name:    "invalid day format",
-			input:   "abcd",
-			wantErr: true,
-		},
-		{
-			name:    "negative days",
-			input:   "-1d",
-			wantErr: true,
-		},
-		{
-			name:    "zero days",
-			input:   "0d",
-			wantErr: true,
-		},
-		{
-			name:    "non-numeric days",
-			input:   "xyzd",
-			wantErr: true,
-		},
-		{
-			name:    "negative Go duration",
-			input:   "-24h",
-			wantErr: true,
-		},
-		{
-			name:    "zero Go duration",
-			input:   "0s",
-			wantErr: true,
-		},
-		{
-			name:    "invalid Go duration",
-			input:   "notaduration",
-			wantErr: true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			result, err := parseDuration(tt.input)
-			if tt.wantErr {
-				assert.Error(t, err)
-				return
-			}
-			require.NoError(t, err)
-			assert.Equal(t, tt.expected, result)
-		})
-	}
-}
--- a/management/internals/controllers/network_map/controller/controller.go
+++ b/management/internals/controllers/network_map/controller/controller.go
@@ -174,7 +174,6 @@ func (c *Controller) sendUpdateAccountPeers(ctx context.Context, accountID strin
 	var wg sync.WaitGroup
 	semaphore := make(chan struct{}, 10)

-	account.InjectProxyPolicies(ctx)
 	dnsCache := &cache.DNSConfigCache{}
 	dnsDomain := c.GetDNSDomain(account.Settings)
 	peersCustomZone := account.GetPeersCustomZone(ctx, dnsDomain)
@@ -248,10 +247,7 @@ func (c *Controller) sendUpdateAccountPeers(ctx context.Context, accountID strin
 			update := grpc.ToSyncResponse(ctx, nil, c.config.HttpConfig, c.config.DeviceAuthorizationFlow, p, nil, nil, remotePeerNetworkMap, dnsDomain, postureChecks, dnsCache, account.Settings, extraSetting, maps.Keys(peerGroups), dnsFwdPort)
 			c.metrics.CountToSyncResponseDuration(time.Since(start))

-			c.peersUpdateManager.SendUpdate(ctx, p.ID, &network_map.UpdateMessage{
-				Update:      update,
-				MessageType: network_map.MessageTypeNetworkMap,
-			})
+			c.peersUpdateManager.SendUpdate(ctx, p.ID, &network_map.UpdateMessage{Update: update})
 		}(peer)
 	}

@@ -327,7 +323,6 @@ func (c *Controller) UpdateAccountPeer(ctx context.Context, accountId string, pe
 		return fmt.Errorf("failed to get validated peers: %v", err)
 	}

-	account.InjectProxyPolicies(ctx)
 	dnsCache := &cache.DNSConfigCache{}
 	dnsDomain := c.GetDNSDomain(account.Settings)
 	peersCustomZone := account.GetPeersCustomZone(ctx, dnsDomain)
@@ -375,10 +370,7 @@ func (c *Controller) UpdateAccountPeer(ctx context.Context, accountId string, pe
 	dnsFwdPort := computeForwarderPort(maps.Values(account.Peers), network_map.DnsForwarderPortMinVersion)

 	update := grpc.ToSyncResponse(ctx, nil, c.config.HttpConfig, c.config.DeviceAuthorizationFlow, peer, nil, nil, remotePeerNetworkMap, dnsDomain, postureChecks, dnsCache, account.Settings, extraSettings, maps.Keys(peerGroups), dnsFwdPort)
-	c.peersUpdateManager.SendUpdate(ctx, peer.ID, &network_map.UpdateMessage{
-		Update:      update,
-		MessageType: network_map.MessageTypeNetworkMap,
-	})
+	c.peersUpdateManager.SendUpdate(ctx, peer.ID, &network_map.UpdateMessage{Update: update})

 	return nil
 }
@@ -443,8 +435,6 @@ func (c *Controller) GetValidatedPeerWithMap(ctx context.Context, isRequiresAppr
 		}
 	}

-	account.InjectProxyPolicies(ctx)
-
 	approvedPeersMap, err := c.integratedPeerValidator.GetValidatedPeers(ctx, account.Id, maps.Values(account.Groups), maps.Values(account.Peers), account.Settings.Extra)
 	if err != nil {
 		return nil, nil, nil, 0, err
@@ -788,7 +778,6 @@ func (c *Controller) OnPeersDeleted(ctx context.Context, accountID string, peerI
 					},
 				},
 			},
-			MessageType: network_map.MessageTypeNetworkMap,
 		})
 		c.peersUpdateManager.CloseChannel(ctx, peerID)

@@ -851,7 +840,6 @@ func (c *Controller) GetNetworkMap(ctx context.Context, peerID string) (*types.N
 	if c.experimentalNetworkMap(peer.AccountID) {
 		networkMap = c.getPeerNetworkMapExp(ctx, peer.AccountID, peerID, validatedPeers, peersCustomZone, accountZones, nil)
 	} else {
-		account.InjectProxyPolicies(ctx)
 		resourcePolicies := account.GetResourcePoliciesMap()
 		routers := account.GetResourceRoutersMap()
 		networkMap = account.GetPeerNetworkMap(ctx, peer.ID, peersCustomZone, accountZones, validatedPeers, resourcePolicies, routers, nil, account.GetActiveGroupUsers())
--- a/management/internals/controllers/network_map/update_channel/updatechannel_test.go
+++ b/management/internals/controllers/network_map/update_channel/updatechannel_test.go
@@ -25,14 +25,11 @@ func TestCreateChannel(t *testing.T) {
 func TestSendUpdate(t *testing.T) {
 	peer := "test-sendupdate"
 	peersUpdater := NewPeersUpdateManager(nil)
-	update1 := &network_map.UpdateMessage{
-		Update: &proto.SyncResponse{
-			NetworkMap: &proto.NetworkMap{
-				Serial: 0,
-			},
+	update1 := &network_map.UpdateMessage{Update: &proto.SyncResponse{
+		NetworkMap: &proto.NetworkMap{
+			Serial: 0,
 		},
-		MessageType: network_map.MessageTypeNetworkMap,
-	}
+	}}
 	_ = peersUpdater.CreateChannel(context.Background(), peer)
 	if _, ok := peersUpdater.peerChannels[peer]; !ok {
 		t.Error("Error creating the channel")
@@ -48,14 +45,11 @@ func TestSendUpdate(t *testing.T) {
 		peersUpdater.SendUpdate(context.Background(), peer, update1)
 	}

-	update2 := &network_map.UpdateMessage{
-		Update: &proto.SyncResponse{
-			NetworkMap: &proto.NetworkMap{
-				Serial: 10,
-			},
+	update2 := &network_map.UpdateMessage{Update: &proto.SyncResponse{
+		NetworkMap: &proto.NetworkMap{
+			Serial: 10,
 		},
-		MessageType: network_map.MessageTypeNetworkMap,
-	}
+	}}

 	peersUpdater.SendUpdate(context.Background(), peer, update2)
 	timeout := time.After(5 * time.Second)
--- a/management/internals/controllers/network_map/update_message.go
+++ b/management/internals/controllers/network_map/update_message.go
@@ -4,19 +4,6 @@ import (
 	"github.com/netbirdio/netbird/shared/management/proto"
 )

-// MessageType indicates the type of update message for debouncing strategy
-type MessageType int
-
-const (
-	// MessageTypeNetworkMap represents network map updates (peers, routes, DNS, firewall)
-	// These updates can be safely debounced - only the latest state matters
-	MessageTypeNetworkMap MessageType = iota
-	// MessageTypeControlConfig represents control/config updates (tokens, peer expiration)
-	// These updates should not be dropped as they contain time-sensitive information
-	MessageTypeControlConfig
-)
-
 type UpdateMessage struct {
-	Update      *proto.SyncResponse
-	MessageType MessageType
+	Update *proto.SyncResponse
 }
--- a/management/internals/modules/peers/manager.go
+++ b/management/internals/modules/peers/manager.go
@@ -7,7 +7,6 @@ import (
 	"fmt"
 	"time"

-	"github.com/rs/xid"
 	log "github.com/sirupsen/logrus"

 	"github.com/netbirdio/netbird/management/internals/controllers/network_map"
@@ -33,7 +32,6 @@ type Manager interface {
 	SetIntegratedPeerValidator(integratedPeerValidator integrated_validator.IntegratedValidator)
 	SetAccountManager(accountManager account.Manager)
 	GetPeerID(ctx context.Context, peerKey string) (string, error)
-	CreateProxyPeer(ctx context.Context, accountID string, peerKey string, cluster string) error
 }

 type managerImpl struct {
@@ -184,36 +182,3 @@ func (m *managerImpl) DeletePeers(ctx context.Context, accountID string, peerIDs
 func (m *managerImpl) GetPeerID(ctx context.Context, peerKey string) (string, error) {
 	return m.store.GetPeerIDByKey(ctx, store.LockingStrengthNone, peerKey)
 }
-
-func (m *managerImpl) CreateProxyPeer(ctx context.Context, accountID string, peerKey string, cluster string) error {
-	existingPeerID, err := m.store.GetPeerIDByKey(ctx, store.LockingStrengthNone, peerKey)
-	if err == nil && existingPeerID != "" {
-		// Peer already exists
-		return nil
-	}
-
-	name := fmt.Sprintf("proxy-%s", xid.New().String())
-	peer := &peer.Peer{
-		Ephemeral: true,
-		ProxyMeta: peer.ProxyMeta{
-			Cluster:  cluster,
-			Embedded: true,
-		},
-		Name:                        name,
-		Key:                         peerKey,
-		LoginExpirationEnabled:      false,
-		InactivityExpirationEnabled: false,
-		Meta: peer.PeerSystemMeta{
-			Hostname: name,
-			GoOS:     "proxy",
-			OS:       "proxy",
-		},
-	}
-
-	_, _, _, err = m.accountManager.AddPeer(ctx, accountID, "", "", peer, false)
-	if err != nil {
-		return fmt.Errorf("failed to create proxy peer: %w", err)
-	}
-
-	return nil
-}
--- a/management/internals/modules/reverseproxy/accesslogs/accesslogentry.go
+++ b/management/internals/modules/reverseproxy/accesslogs/accesslogentry.go
@@ -1,105 +0,0 @@
-package accesslogs
-
-import (
-	"net"
-	"net/netip"
-	"time"
-
-	"github.com/netbirdio/netbird/management/server/peer"
-	"github.com/netbirdio/netbird/shared/management/http/api"
-	"github.com/netbirdio/netbird/shared/management/proto"
-)
-
-type AccessLogEntry struct {
-	ID             string        `gorm:"primaryKey"`
-	AccountID      string        `gorm:"index"`
-	ServiceID      string        `gorm:"index"`
-	Timestamp      time.Time     `gorm:"index"`
-	GeoLocation    peer.Location `gorm:"embedded;embeddedPrefix:location_"`
-	Method         string        `gorm:"index"`
-	Host           string        `gorm:"index"`
-	Path           string        `gorm:"index"`
-	Duration       time.Duration `gorm:"index"`
-	StatusCode     int           `gorm:"index"`
-	Reason         string
-	UserId         string `gorm:"index"`
-	AuthMethodUsed string `gorm:"index"`
-}
-
-// FromProto creates an AccessLogEntry from a proto.AccessLog
-func (a *AccessLogEntry) FromProto(serviceLog *proto.AccessLog) {
-	a.ID = serviceLog.GetLogId()
-	a.ServiceID = serviceLog.GetServiceId()
-	a.Timestamp = serviceLog.GetTimestamp().AsTime()
-	a.Method = serviceLog.GetMethod()
-	a.Host = serviceLog.GetHost()
-	a.Path = serviceLog.GetPath()
-	a.Duration = time.Duration(serviceLog.GetDurationMs()) * time.Millisecond
-	a.StatusCode = int(serviceLog.GetResponseCode())
-	a.UserId = serviceLog.GetUserId()
-	a.AuthMethodUsed = serviceLog.GetAuthMechanism()
-	a.AccountID = serviceLog.GetAccountId()
-
-	if sourceIP := serviceLog.GetSourceIp(); sourceIP != "" {
-		if ip, err := netip.ParseAddr(sourceIP); err == nil {
-			a.GeoLocation.ConnectionIP = net.IP(ip.AsSlice())
-		}
-	}
-
-	if !serviceLog.GetAuthSuccess() {
-		a.Reason = "Authentication failed"
-	} else if serviceLog.GetResponseCode() >= 400 {
-		a.Reason = "Request failed"
-	}
-}
-
-// ToAPIResponse converts an AccessLogEntry to the API ProxyAccessLog type
-func (a *AccessLogEntry) ToAPIResponse() *api.ProxyAccessLog {
-	var sourceIP *string
-	if a.GeoLocation.ConnectionIP != nil {
-		ip := a.GeoLocation.ConnectionIP.String()
-		sourceIP = &ip
-	}
-
-	var reason *string
-	if a.Reason != "" {
-		reason = &a.Reason
-	}
-
-	var userID *string
-	if a.UserId != "" {
-		userID = &a.UserId
-	}
-
-	var authMethod *string
-	if a.AuthMethodUsed != "" {
-		authMethod = &a.AuthMethodUsed
-	}
-
-	var countryCode *string
-	if a.GeoLocation.CountryCode != "" {
-		countryCode = &a.GeoLocation.CountryCode
-	}
-
-	var cityName *string
-	if a.GeoLocation.CityName != "" {
-		cityName = &a.GeoLocation.CityName
-	}
-
-	return &api.ProxyAccessLog{
-		Id:             a.ID,
-		ServiceId:      a.ServiceID,
-		Timestamp:      a.Timestamp,
-		Method:         a.Method,
-		Host:           a.Host,
-		Path:           a.Path,
-		DurationMs:     int(a.Duration.Milliseconds()),
-		StatusCode:     a.StatusCode,
-		SourceIp:       sourceIP,
-		Reason:         reason,
-		UserId:         userID,
-		AuthMethodUsed: authMethod,
-		CountryCode:    countryCode,
-		CityName:       cityName,
-	}
-}
--- a/management/internals/modules/reverseproxy/accesslogs/filter.go
+++ b/management/internals/modules/reverseproxy/accesslogs/filter.go
@@ -1,124 +0,0 @@
-package accesslogs
-
-import (
-	"net/http"
-	"strconv"
-	"time"
-)
-
-const (
-	// DefaultPageSize is the default number of records per page
-	DefaultPageSize = 50
-	// MaxPageSize is the maximum number of records allowed per page
-	MaxPageSize = 100
-)
-
-// AccessLogFilter holds pagination and filtering parameters for access logs
-type AccessLogFilter struct {
-	// Page is the current page number (1-indexed)
-	Page int
-	// PageSize is the number of records per page
-	PageSize int
-
-	// Filtering parameters
-	Search     *string    // General search across log ID, host, path, source IP, and user fields
-	SourceIP   *string    // Filter by source IP address
-	Host       *string    // Filter by host header
-	Path       *string    // Filter by request path (supports LIKE pattern)
-	UserID     *string    // Filter by authenticated user ID
-	UserEmail  *string    // Filter by user email (requires user lookup)
-	UserName   *string    // Filter by user name (requires user lookup)
-	Method     *string    // Filter by HTTP method
-	Status     *string    // Filter by status: "success" (2xx/3xx) or "failed" (1xx/4xx/5xx)
-	StatusCode *int       // Filter by HTTP status code
-	StartDate  *time.Time // Filter by timestamp >= start_date
-	EndDate    *time.Time // Filter by timestamp <= end_date
-}
-
-// ParseFromRequest parses pagination and filter parameters from HTTP request query parameters
-func (f *AccessLogFilter) ParseFromRequest(r *http.Request) {
-	queryParams := r.URL.Query()
-
-	f.Page = 1
-	if pageStr := queryParams.Get("page"); pageStr != "" {
-		if page, err := strconv.Atoi(pageStr); err == nil && page > 0 {
-			f.Page = page
-		}
-	}
-
-	f.PageSize = DefaultPageSize
-	if pageSizeStr := queryParams.Get("page_size"); pageSizeStr != "" {
-		if pageSize, err := strconv.Atoi(pageSizeStr); err == nil && pageSize > 0 {
-			f.PageSize = pageSize
-			if f.PageSize > MaxPageSize {
-				f.PageSize = MaxPageSize
-			}
-		}
-	}
-
-	if search := queryParams.Get("search"); search != "" {
-		f.Search = &search
-	}
-
-	if sourceIP := queryParams.Get("source_ip"); sourceIP != "" {
-		f.SourceIP = &sourceIP
-	}
-
-	if host := queryParams.Get("host"); host != "" {
-		f.Host = &host
-	}
-
-	if path := queryParams.Get("path"); path != "" {
-		f.Path = &path
-	}
-
-	if userID := queryParams.Get("user_id"); userID != "" {
-		f.UserID = &userID
-	}
-
-	if userEmail := queryParams.Get("user_email"); userEmail != "" {
-		f.UserEmail = &userEmail
-	}
-
-	if userName := queryParams.Get("user_name"); userName != "" {
-		f.UserName = &userName
-	}
-
-	if method := queryParams.Get("method"); method != "" {
-		f.Method = &method
-	}
-
-	if status := queryParams.Get("status"); status != "" {
-		f.Status = &status
-	}
-
-	if statusCodeStr := queryParams.Get("status_code"); statusCodeStr != "" {
-		if statusCode, err := strconv.Atoi(statusCodeStr); err == nil && statusCode > 0 {
-			f.StatusCode = &statusCode
-		}
-	}
-
-	if startDate := queryParams.Get("start_date"); startDate != "" {
-		parsedStartDate, err := time.Parse(time.RFC3339, startDate)
-		if err == nil {
-			f.StartDate = &parsedStartDate
-		}
-	}
-
-	if endDate := queryParams.Get("end_date"); endDate != "" {
-		parsedEndDate, err := time.Parse(time.RFC3339, endDate)
-		if err == nil {
-			f.EndDate = &parsedEndDate
-		}
-	}
-}
-
-// GetOffset calculates the database offset for pagination
-func (f *AccessLogFilter) GetOffset() int {
-	return (f.Page - 1) * f.PageSize
-}
-
-// GetLimit returns the page size for database queries
-func (f *AccessLogFilter) GetLimit() int {
-	return f.PageSize
-}
--- a/management/internals/modules/reverseproxy/accesslogs/filter_test.go
+++ b/management/internals/modules/reverseproxy/accesslogs/filter_test.go
@@ -1,161 +0,0 @@
-package accesslogs
-
-import (
-	"net/http"
-	"net/http/httptest"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-)
-
-func TestAccessLogFilter_ParseFromRequest(t *testing.T) {
-	tests := []struct {
-		name             string
-		queryParams      map[string]string
-		expectedPage     int
-		expectedPageSize int
-	}{
-		{
-			name:             "default values when no params provided",
-			queryParams:      map[string]string{},
-			expectedPage:     1,
-			expectedPageSize: DefaultPageSize,
-		},
-		{
-			name: "valid page and page_size",
-			queryParams: map[string]string{
-				"page":      "2",
-				"page_size": "25",
-			},
-			expectedPage:     2,
-			expectedPageSize: 25,
-		},
-		{
-			name: "page_size exceeds max, should cap at MaxPageSize",
-			queryParams: map[string]string{
-				"page":      "1",
-				"page_size": "200",
-			},
-			expectedPage:     1,
-			expectedPageSize: MaxPageSize,
-		},
-		{
-			name: "invalid page number, should use default",
-			queryParams: map[string]string{
-				"page":      "invalid",
-				"page_size": "10",
-			},
-			expectedPage:     1,
-			expectedPageSize: 10,
-		},
-		{
-			name: "invalid page_size, should use default",
-			queryParams: map[string]string{
-				"page":      "2",
-				"page_size": "invalid",
-			},
-			expectedPage:     2,
-			expectedPageSize: DefaultPageSize,
-		},
-		{
-			name: "zero page number, should use default",
-			queryParams: map[string]string{
-				"page":      "0",
-				"page_size": "10",
-			},
-			expectedPage:     1,
-			expectedPageSize: 10,
-		},
-		{
-			name: "negative page number, should use default",
-			queryParams: map[string]string{
-				"page":      "-1",
-				"page_size": "10",
-			},
-			expectedPage:     1,
-			expectedPageSize: 10,
-		},
-		{
-			name: "zero page_size, should use default",
-			queryParams: map[string]string{
-				"page":      "1",
-				"page_size": "0",
-			},
-			expectedPage:     1,
-			expectedPageSize: DefaultPageSize,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			req := httptest.NewRequest(http.MethodGet, "/test", nil)
-			q := req.URL.Query()
-			for key, value := range tt.queryParams {
-				q.Set(key, value)
-			}
-			req.URL.RawQuery = q.Encode()
-
-			filter := &AccessLogFilter{}
-			filter.ParseFromRequest(req)
-
-			assert.Equal(t, tt.expectedPage, filter.Page, "Page mismatch")
-			assert.Equal(t, tt.expectedPageSize, filter.PageSize, "PageSize mismatch")
-		})
-	}
-}
-
-func TestAccessLogFilter_GetOffset(t *testing.T) {
-	tests := []struct {
-		name           string
-		page           int
-		pageSize       int
-		expectedOffset int
-	}{
-		{
-			name:           "first page",
-			page:           1,
-			pageSize:       50,
-			expectedOffset: 0,
-		},
-		{
-			name:           "second page",
-			page:           2,
-			pageSize:       50,
-			expectedOffset: 50,
-		},
-		{
-			name:           "third page with page size 25",
-			page:           3,
-			pageSize:       25,
-			expectedOffset: 50,
-		},
-		{
-			name:           "page 10 with page size 10",
-			page:           10,
-			pageSize:       10,
-			expectedOffset: 90,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			filter := &AccessLogFilter{
-				Page:     tt.page,
-				PageSize: tt.pageSize,
-			}
-
-			offset := filter.GetOffset()
-			assert.Equal(t, tt.expectedOffset, offset)
-		})
-	}
-}
-
-func TestAccessLogFilter_GetLimit(t *testing.T) {
-	filter := &AccessLogFilter{
-		Page:     2,
-		PageSize: 25,
-	}
-
-	limit := filter.GetLimit()
-	assert.Equal(t, 25, limit, "GetLimit should return PageSize")
-}
--- a/management/internals/modules/reverseproxy/accesslogs/interface.go
+++ b/management/internals/modules/reverseproxy/accesslogs/interface.go
@@ -1,10 +0,0 @@
-package accesslogs
-
-import (
-	"context"
-)
-
-type Manager interface {
-	SaveAccessLog(ctx context.Context, proxyLog *AccessLogEntry) error
-	GetAllAccessLogs(ctx context.Context, accountID, userID string, filter *AccessLogFilter) ([]*AccessLogEntry, int64, error)
-}
--- a/management/internals/modules/reverseproxy/accesslogs/manager/api.go
+++ b/management/internals/modules/reverseproxy/accesslogs/manager/api.go
@@ -1,64 +0,0 @@
-package manager
-
-import (
-	"net/http"
-
-	"github.com/gorilla/mux"
-
-	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs"
-	nbcontext "github.com/netbirdio/netbird/management/server/context"
-	"github.com/netbirdio/netbird/shared/management/http/api"
-	"github.com/netbirdio/netbird/shared/management/http/util"
-)
-
-type handler struct {
-	manager accesslogs.Manager
-}
-
-func RegisterEndpoints(router *mux.Router, manager accesslogs.Manager) {
-	h := &handler{
-		manager: manager,
-	}
-
-	router.HandleFunc("/events/proxy", h.getAccessLogs).Methods("GET", "OPTIONS")
-}
-
-func (h *handler) getAccessLogs(w http.ResponseWriter, r *http.Request) {
-	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
-	if err != nil {
-		util.WriteError(r.Context(), err, w)
-		return
-	}
-
-	var filter accesslogs.AccessLogFilter
-	filter.ParseFromRequest(r)
-
-	logs, totalCount, err := h.manager.GetAllAccessLogs(r.Context(), userAuth.AccountId, userAuth.UserId, &filter)
-	if err != nil {
-		util.WriteError(r.Context(), err, w)
-		return
-	}
-
-	apiLogs := make([]api.ProxyAccessLog, 0, len(logs))
-	for _, log := range logs {
-		apiLogs = append(apiLogs, *log.ToAPIResponse())
-	}
-
-	response := &api.ProxyAccessLogsResponse{
-		Data:         apiLogs,
-		Page:         filter.Page,
-		PageSize:     filter.PageSize,
-		TotalRecords: int(totalCount),
-		TotalPages:   getTotalPageCount(int(totalCount), filter.PageSize),
-	}
-
-	util.WriteJSONObject(r.Context(), w, response)
-}
-
-// getTotalPageCount calculates the total number of pages
-func getTotalPageCount(totalCount, pageSize int) int {
-	if pageSize <= 0 {
-		return 0
-	}
-	return (totalCount + pageSize - 1) / pageSize
-}
--- a/management/internals/modules/reverseproxy/accesslogs/manager/manager.go
+++ b/management/internals/modules/reverseproxy/accesslogs/manager/manager.go
@@ -1,108 +0,0 @@
-package manager
-
-import (
-	"context"
-	"strings"
-
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs"
-	"github.com/netbirdio/netbird/management/server/geolocation"
-	"github.com/netbirdio/netbird/management/server/permissions"
-	"github.com/netbirdio/netbird/management/server/permissions/modules"
-	"github.com/netbirdio/netbird/management/server/permissions/operations"
-	"github.com/netbirdio/netbird/management/server/store"
-	"github.com/netbirdio/netbird/shared/management/status"
-)
-
-type managerImpl struct {
-	store              store.Store
-	permissionsManager permissions.Manager
-	geo                geolocation.Geolocation
-}
-
-func NewManager(store store.Store, permissionsManager permissions.Manager, geo geolocation.Geolocation) accesslogs.Manager {
-	return &managerImpl{
-		store:              store,
-		permissionsManager: permissionsManager,
-		geo:                geo,
-	}
-}
-
-// SaveAccessLog saves an access log entry to the database after enriching it
-func (m *managerImpl) SaveAccessLog(ctx context.Context, logEntry *accesslogs.AccessLogEntry) error {
-	if m.geo != nil && logEntry.GeoLocation.ConnectionIP != nil {
-		location, err := m.geo.Lookup(logEntry.GeoLocation.ConnectionIP)
-		if err != nil {
-			log.WithContext(ctx).Warnf("failed to get location for access log source IP [%s]: %v", logEntry.GeoLocation.ConnectionIP.String(), err)
-		} else {
-			logEntry.GeoLocation.CountryCode = location.Country.ISOCode
-			logEntry.GeoLocation.CityName = location.City.Names.En
-			logEntry.GeoLocation.GeoNameID = location.City.GeonameID
-		}
-	}
-
-	if err := m.store.CreateAccessLog(ctx, logEntry); err != nil {
-		log.WithContext(ctx).WithFields(log.Fields{
-			"service_id": logEntry.ServiceID,
-			"method":     logEntry.Method,
-			"host":       logEntry.Host,
-			"path":       logEntry.Path,
-			"status":     logEntry.StatusCode,
-		}).Errorf("failed to save access log: %v", err)
-		return err
-	}
-
-	return nil
-}
-
-// GetAllAccessLogs retrieves access logs for an account with pagination and filtering
-func (m *managerImpl) GetAllAccessLogs(ctx context.Context, accountID, userID string, filter *accesslogs.AccessLogFilter) ([]*accesslogs.AccessLogEntry, int64, error) {
-	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Read)
-	if err != nil {
-		return nil, 0, status.NewPermissionValidationError(err)
-	}
-	if !ok {
-		return nil, 0, status.NewPermissionDeniedError()
-	}
-
-	if err := m.resolveUserFilters(ctx, accountID, filter); err != nil {
-		log.WithContext(ctx).Warnf("failed to resolve user filters: %v", err)
-	}
-
-	logs, totalCount, err := m.store.GetAccountAccessLogs(ctx, store.LockingStrengthNone, accountID, *filter)
-	if err != nil {
-		return nil, 0, err
-	}
-
-	return logs, totalCount, nil
-}
-
-// resolveUserFilters converts user email/name filters to user ID filter
-func (m *managerImpl) resolveUserFilters(ctx context.Context, accountID string, filter *accesslogs.AccessLogFilter) error {
-	if filter.UserEmail == nil && filter.UserName == nil {
-		return nil
-	}
-
-	users, err := m.store.GetAccountUsers(ctx, store.LockingStrengthNone, accountID)
-	if err != nil {
-		return err
-	}
-
-	var matchingUserIDs []string
-	for _, user := range users {
-		if filter.UserEmail != nil && strings.Contains(strings.ToLower(user.Email), strings.ToLower(*filter.UserEmail)) {
-			matchingUserIDs = append(matchingUserIDs, user.Id)
-			continue
-		}
-		if filter.UserName != nil && strings.Contains(strings.ToLower(user.Name), strings.ToLower(*filter.UserName)) {
-			matchingUserIDs = append(matchingUserIDs, user.Id)
-		}
-	}
-
-	if len(matchingUserIDs) > 0 {
-		filter.UserID = &matchingUserIDs[0]
-	}
-
-	return nil
-}
--- a/management/internals/modules/reverseproxy/domain/api.go
+++ b/management/internals/modules/reverseproxy/domain/api.go
@@ -1,134 +0,0 @@
-package domain
-
-import (
-	"encoding/json"
-	"net/http"
-
-	"github.com/gorilla/mux"
-	nbcontext "github.com/netbirdio/netbird/management/server/context"
-	"github.com/netbirdio/netbird/shared/management/http/api"
-	"github.com/netbirdio/netbird/shared/management/http/util"
-	"github.com/netbirdio/netbird/shared/management/status"
-)
-
-type handler struct {
-	manager Manager
-}
-
-func RegisterEndpoints(router *mux.Router, manager Manager) {
-	h := &handler{
-		manager: manager,
-	}
-
-	router.HandleFunc("/domains", h.getAllDomains).Methods("GET", "OPTIONS")
-	router.HandleFunc("/domains", h.createCustomDomain).Methods("POST", "OPTIONS")
-	router.HandleFunc("/domains/{domainId}", h.deleteCustomDomain).Methods("DELETE", "OPTIONS")
-	router.HandleFunc("/domains/{domainId}/validate", h.triggerCustomDomainValidation).Methods("GET", "OPTIONS")
-}
-
-func domainTypeToApi(t domainType) api.ReverseProxyDomainType {
-	switch t {
-	case TypeCustom:
-		return api.ReverseProxyDomainTypeCustom
-	case TypeFree:
-		return api.ReverseProxyDomainTypeFree
-	}
-	// By default return as a "free" domain as that is more restrictive.
-	// TODO: is this correct?
-	return api.ReverseProxyDomainTypeFree
-}
-
-func domainToApi(d *Domain) api.ReverseProxyDomain {
-	resp := api.ReverseProxyDomain{
-		Domain:    d.Domain,
-		Id:        d.ID,
-		Type:      domainTypeToApi(d.Type),
-		Validated: d.Validated,
-	}
-	if d.TargetCluster != "" {
-		resp.TargetCluster = &d.TargetCluster
-	}
-	return resp
-}
-
-func (h *handler) getAllDomains(w http.ResponseWriter, r *http.Request) {
-	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
-	if err != nil {
-		util.WriteError(r.Context(), err, w)
-		return
-	}
-
-	domains, err := h.manager.GetDomains(r.Context(), userAuth.AccountId)
-	if err != nil {
-		util.WriteError(r.Context(), err, w)
-		return
-	}
-
-	ret := make([]api.ReverseProxyDomain, 0)
-	for _, d := range domains {
-		ret = append(ret, domainToApi(d))
-	}
-
-	util.WriteJSONObject(r.Context(), w, ret)
-}
-
-func (h *handler) createCustomDomain(w http.ResponseWriter, r *http.Request) {
-	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
-	if err != nil {
-		util.WriteError(r.Context(), err, w)
-		return
-	}
-
-	var req api.PostApiReverseProxiesDomainsJSONRequestBody
-	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
-		util.WriteErrorResponse("couldn't parse JSON request", http.StatusBadRequest, w)
-		return
-	}
-
-	domain, err := h.manager.CreateDomain(r.Context(), userAuth.AccountId, req.Domain, req.TargetCluster)
-	if err != nil {
-		util.WriteError(r.Context(), err, w)
-		return
-	}
-
-	util.WriteJSONObject(r.Context(), w, domainToApi(domain))
-}
-
-func (h *handler) deleteCustomDomain(w http.ResponseWriter, r *http.Request) {
-	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
-	if err != nil {
-		util.WriteError(r.Context(), err, w)
-		return
-	}
-
-	domainID := mux.Vars(r)["domainId"]
-	if domainID == "" {
-		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "domain ID is required"), w)
-		return
-	}
-
-	if err := h.manager.DeleteDomain(r.Context(), userAuth.AccountId, domainID); err != nil {
-		util.WriteError(r.Context(), err, w)
-		return
-	}
-
-	w.WriteHeader(http.StatusNoContent)
-}
-
-func (h *handler) triggerCustomDomainValidation(w http.ResponseWriter, r *http.Request) {
-	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
-	if err != nil {
-		util.WriteError(r.Context(), err, w)
-		return
-	}
-
-	domainID := mux.Vars(r)["domainId"]
-	if domainID == "" {
-		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "domain ID is required"), w)
-		return
-	}
-
-	go h.manager.ValidateDomain(userAuth.AccountId, domainID)
-
-	w.WriteHeader(http.StatusAccepted)
-}
--- a/management/internals/modules/reverseproxy/domain/manager.go
+++ b/management/internals/modules/reverseproxy/domain/manager.go
@@ -1,262 +0,0 @@
-package domain
-
-import (
-	"context"
-	"fmt"
-	"net"
-	"net/url"
-	"strings"
-
-	"github.com/netbirdio/netbird/management/server/types"
-	log "github.com/sirupsen/logrus"
-)
-
-type domainType string
-
-const (
-	TypeFree   domainType = "free"
-	TypeCustom domainType = "custom"
-)
-
-type Domain struct {
-	ID            string     `gorm:"unique;primaryKey;autoIncrement"`
-	Domain        string     `gorm:"unique"` // Domain records must be unique, this avoids domain reuse across accounts.
-	AccountID     string     `gorm:"index"`
-	TargetCluster string     // The proxy cluster this domain should be validated against
-	Type          domainType `gorm:"-"`
-	Validated     bool
-}
-
-type store interface {
-	GetAccount(ctx context.Context, accountID string) (*types.Account, error)
-
-	GetCustomDomain(ctx context.Context, accountID string, domainID string) (*Domain, error)
-	ListFreeDomains(ctx context.Context, accountID string) ([]string, error)
-	ListCustomDomains(ctx context.Context, accountID string) ([]*Domain, error)
-	CreateCustomDomain(ctx context.Context, accountID string, domainName string, targetCluster string, validated bool) (*Domain, error)
-	UpdateCustomDomain(ctx context.Context, accountID string, d *Domain) (*Domain, error)
-	DeleteCustomDomain(ctx context.Context, accountID string, domainID string) error
-}
-
-type proxyURLProvider interface {
-	GetConnectedProxyURLs() []string
-}
-
-type Manager struct {
-	store            store
-	validator        Validator
-	proxyURLProvider proxyURLProvider
-}
-
-func NewManager(store store, proxyURLProvider proxyURLProvider) Manager {
-	return Manager{
-		store:            store,
-		proxyURLProvider: proxyURLProvider,
-		validator: Validator{
-			resolver: net.DefaultResolver,
-		},
-	}
-}
-
-func (m Manager) GetDomains(ctx context.Context, accountID string) ([]*Domain, error) {
-	domains, err := m.store.ListCustomDomains(ctx, accountID)
-	if err != nil {
-		return nil, fmt.Errorf("list custom domains: %w", err)
-	}
-
-	var ret []*Domain
-
-	// Add connected proxy clusters as free domains.
-	// The cluster address itself is the free domain base (e.g., "eu.proxy.netbird.io").
-	allowList := m.proxyURLAllowList()
-	log.WithFields(log.Fields{
-		"accountID":      accountID,
-		"proxyAllowList": allowList,
-	}).Debug("getting domains with proxy allow list")
-
-	for _, cluster := range allowList {
-		ret = append(ret, &Domain{
-			Domain:    cluster,
-			AccountID: accountID,
-			Type:      TypeFree,
-			Validated: true,
-		})
-	}
-
-	// Add custom domains.
-	for _, domain := range domains {
-		ret = append(ret, &Domain{
-			ID:            domain.ID,
-			Domain:        domain.Domain,
-			AccountID:     accountID,
-			TargetCluster: domain.TargetCluster,
-			Type:          TypeCustom,
-			Validated:     domain.Validated,
-		})
-	}
-
-	return ret, nil
-}
-
-func (m Manager) CreateDomain(ctx context.Context, accountID, domainName, targetCluster string) (*Domain, error) {
-
-	// Verify the target cluster is in the available clusters
-	allowList := m.proxyURLAllowList()
-	clusterValid := false
-	for _, cluster := range allowList {
-		if cluster == targetCluster {
-			clusterValid = true
-			break
-		}
-	}
-	if !clusterValid {
-		return nil, fmt.Errorf("target cluster %s is not available", targetCluster)
-	}
-
-	// Attempt an initial validation against the specified cluster only
-	var validated bool
-	if m.validator.IsValid(ctx, domainName, []string{targetCluster}) {
-		validated = true
-	}
-
-	d, err := m.store.CreateCustomDomain(ctx, accountID, domainName, targetCluster, validated)
-	if err != nil {
-		return d, fmt.Errorf("create domain in store: %w", err)
-	}
-	return d, nil
-}
-
-func (m Manager) DeleteDomain(ctx context.Context, accountID, domainID string) error {
-	if err := m.store.DeleteCustomDomain(ctx, accountID, domainID); err != nil {
-		// TODO: check for "no records" type error. Because that is a success condition.
-		return fmt.Errorf("delete domain from store: %w", err)
-	}
-	return nil
-}
-
-func (m Manager) ValidateDomain(accountID, domainID string) {
-	log.WithFields(log.Fields{
-		"accountID": accountID,
-		"domainID":  domainID,
-	}).Info("starting domain validation")
-
-	d, err := m.store.GetCustomDomain(context.Background(), accountID, domainID)
-	if err != nil {
-		log.WithFields(log.Fields{
-			"accountID": accountID,
-			"domainID":  domainID,
-		}).WithError(err).Error("get custom domain from store")
-		return
-	}
-
-	// Validate only against the domain's target cluster
-	targetCluster := d.TargetCluster
-	if targetCluster == "" {
-		log.WithFields(log.Fields{
-			"accountID": accountID,
-			"domainID":  domainID,
-			"domain":    d.Domain,
-		}).Warn("domain has no target cluster set, skipping validation")
-		return
-	}
-
-	log.WithFields(log.Fields{
-		"accountID":     accountID,
-		"domainID":      domainID,
-		"domain":        d.Domain,
-		"targetCluster": targetCluster,
-	}).Info("validating domain against target cluster")
-
-	if m.validator.IsValid(context.Background(), d.Domain, []string{targetCluster}) {
-		log.WithFields(log.Fields{
-			"accountID": accountID,
-			"domainID":  domainID,
-			"domain":    d.Domain,
-		}).Info("domain validated successfully")
-		d.Validated = true
-		if _, err := m.store.UpdateCustomDomain(context.Background(), accountID, d); err != nil {
-			log.WithFields(log.Fields{
-				"accountID": accountID,
-				"domainID":  domainID,
-				"domain":    d.Domain,
-			}).WithError(err).Error("update custom domain in store")
-			return
-		}
-	} else {
-		log.WithFields(log.Fields{
-			"accountID":     accountID,
-			"domainID":      domainID,
-			"domain":        d.Domain,
-			"targetCluster": targetCluster,
-		}).Warn("domain validation failed - CNAME does not match target cluster")
-	}
-}
-
-// proxyURLAllowList retrieves a list of currently connected proxies and
-// their URLs (as reported by the proxy servers). It performs some clean
-// up on those URLs to attempt to retrieve domain names as we would
-// expect to see them in a validation check.
-func (m Manager) proxyURLAllowList() []string {
-	var reverseProxyAddresses []string
-	if m.proxyURLProvider != nil {
-		reverseProxyAddresses = m.proxyURLProvider.GetConnectedProxyURLs()
-	}
-	var allowedProxyURLs []string
-	for _, addr := range reverseProxyAddresses {
-		if addr == "" {
-			continue
-		}
-		host := extractHostFromAddress(addr)
-		if host != "" {
-			allowedProxyURLs = append(allowedProxyURLs, host)
-		}
-	}
-	return allowedProxyURLs
-}
-
-// extractHostFromAddress extracts the hostname from an address string.
-// It handles both URL format (https://host:port) and plain hostname (host or host:port).
-func extractHostFromAddress(addr string) string {
-	// If it looks like a URL with a scheme, parse it
-	if strings.Contains(addr, "://") {
-		proxyUrl, err := url.Parse(addr)
-		if err != nil {
-			log.WithError(err).Debugf("failed to parse proxy URL %s", addr)
-			return ""
-		}
-		host, _, err := net.SplitHostPort(proxyUrl.Host)
-		if err != nil {
-			return proxyUrl.Host
-		}
-		return host
-	}
-
-	// Otherwise treat as hostname or host:port
-	host, _, err := net.SplitHostPort(addr)
-	if err != nil {
-		// No port, use as-is
-		return addr
-	}
-	return host
-}
-
-// DeriveClusterFromDomain determines the proxy cluster for a given domain.
-// For free domains (those ending with a known cluster suffix), the cluster is extracted from the domain.
-// For custom domains, the cluster is determined by looking up the CNAME target.
-func (m Manager) DeriveClusterFromDomain(ctx context.Context, domain string) (string, error) {
-	allowList := m.proxyURLAllowList()
-	if len(allowList) == 0 {
-		return "", fmt.Errorf("no proxy clusters available")
-	}
-
-	if cluster, ok := ExtractClusterFromFreeDomain(domain, allowList); ok {
-		return cluster, nil
-	}
-
-	cluster, valid := m.validator.ValidateWithCluster(ctx, domain, allowList)
-	if valid {
-		return cluster, nil
-	}
-
-	return "", fmt.Errorf("domain %s does not match any available proxy cluster", domain)
-}
--- a/management/internals/modules/reverseproxy/domain/validator.go
+++ b/management/internals/modules/reverseproxy/domain/validator.go
@@ -1,100 +0,0 @@
-package domain
-
-import (
-	"context"
-	"net"
-	"strings"
-
-	log "github.com/sirupsen/logrus"
-)
-
-type resolver interface {
-	LookupCNAME(context.Context, string) (string, error)
-}
-
-type Validator struct {
-	resolver resolver
-}
-
-// NewValidator initializes a validator with a specific DNS resolver.
-// If a Validator is used without specifying a resolver, then it will
-// use the net.DefaultResolver.
-func NewValidator(resolver resolver) *Validator {
-	return &Validator{
-		resolver: resolver,
-	}
-}
-
-// IsValid looks up the CNAME record for the passed domain with a prefix
-// and compares it against the acceptable domains.
-// If the returned CNAME matches any accepted domain, it will return true,
-// otherwise, including in the event of a DNS error, it will return false.
-// The comparison is very simple, so wildcards will not match if included
-// in the acceptable domain list.
-func (v *Validator) IsValid(ctx context.Context, domain string, accept []string) bool {
-	_, valid := v.ValidateWithCluster(ctx, domain, accept)
-	return valid
-}
-
-// ValidateWithCluster validates a custom domain and returns the matched cluster address.
-// Returns the cluster address and true if valid, or empty string and false if invalid.
-func (v *Validator) ValidateWithCluster(ctx context.Context, domain string, accept []string) (string, bool) {
-	if v.resolver == nil {
-		v.resolver = net.DefaultResolver
-	}
-
-	lookupDomain := "validation." + domain
-	log.WithFields(log.Fields{
-		"domain":       domain,
-		"lookupDomain": lookupDomain,
-		"acceptList":   accept,
-	}).Debug("looking up CNAME for domain validation")
-
-	cname, err := v.resolver.LookupCNAME(ctx, lookupDomain)
-	if err != nil {
-		log.WithFields(log.Fields{
-			"domain":       domain,
-			"lookupDomain": lookupDomain,
-		}).WithError(err).Warn("CNAME lookup failed for domain validation")
-		return "", false
-	}
-
-	nakedCNAME := strings.TrimSuffix(cname, ".")
-	log.WithFields(log.Fields{
-		"domain":     domain,
-		"cname":      cname,
-		"nakedCNAME": nakedCNAME,
-		"acceptList": accept,
-	}).Debug("CNAME lookup result for domain validation")
-
-	for _, acceptDomain := range accept {
-		normalizedAccept := strings.TrimSuffix(acceptDomain, ".")
-		if nakedCNAME == normalizedAccept {
-			log.WithFields(log.Fields{
-				"domain":  domain,
-				"cname":   nakedCNAME,
-				"cluster": acceptDomain,
-			}).Info("domain CNAME matched cluster")
-			return acceptDomain, true
-		}
-	}
-
-	log.WithFields(log.Fields{
-		"domain":     domain,
-		"cname":      nakedCNAME,
-		"acceptList": accept,
-	}).Warn("domain CNAME does not match any accepted cluster")
-	return "", false
-}
-
-// ExtractClusterFromFreeDomain extracts the cluster address from a free domain.
-// Free domains have the format: <name>.<nonce>.<cluster> (e.g., myapp.abc123.eu.proxy.netbird.io)
-// It matches the domain suffix against available clusters and returns the matching cluster.
-func ExtractClusterFromFreeDomain(domain string, availableClusters []string) (string, bool) {
-	for _, cluster := range availableClusters {
-		if strings.HasSuffix(domain, "."+cluster) {
-			return cluster, true
-		}
-	}
-	return "", false
-}
--- a/management/internals/modules/reverseproxy/domain/validator_test.go
+++ b/management/internals/modules/reverseproxy/domain/validator_test.go
@@ -1,56 +0,0 @@
-package domain_test
-
-import (
-	"context"
-	"testing"
-
-	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/domain"
-)
-
-type resolver struct {
-	CNAME string
-}
-
-func (r resolver) LookupCNAME(_ context.Context, _ string) (string, error) {
-	return r.CNAME, nil
-}
-
-func TestIsValid(t *testing.T) {
-	tests := map[string]struct {
-		resolver interface {
-			LookupCNAME(context.Context, string) (string, error)
-		}
-		domain string
-		accept []string
-		expect bool
-	}{
-		"match": {
-			resolver: resolver{"bar.example.com."}, // Including trailing "." in response.
-			domain:   "foo.example.com",
-			accept:   []string{"bar.example.com"},
-			expect:   true,
-		},
-		"no match": {
-			resolver: resolver{"invalid"},
-			domain:   "foo.example.com",
-			accept:   []string{"bar.example.com"},
-			expect:   false,
-		},
-		"accept trailing dot": {
-			resolver: resolver{"bar.example.com."},
-			domain:   "foo.example.com",
-			accept:   []string{"bar.example.com."}, // Including trailing "." in accept.
-			expect:   true,
-		},
-	}
-
-	for name, test := range tests {
-		t.Run(name, func(t *testing.T) {
-			validator := domain.NewValidator(test.resolver)
-			actual := validator.IsValid(t.Context(), test.domain, test.accept)
-			if test.expect != actual {
-				t.Errorf("Incorrect return value:\nexpect: %v\nactual: %v", test.expect, actual)
-			}
-		})
-	}
-}
--- a/management/internals/modules/reverseproxy/interface.go
+++ b/management/internals/modules/reverseproxy/interface.go
@@ -1,21 +0,0 @@
-package reverseproxy
-
-import (
-	"context"
-)
-
-type Manager interface {
-	GetAllServices(ctx context.Context, accountID, userID string) ([]*Service, error)
-	GetService(ctx context.Context, accountID, userID, serviceID string) (*Service, error)
-	CreateService(ctx context.Context, accountID, userID string, service *Service) (*Service, error)
-	UpdateService(ctx context.Context, accountID, userID string, service *Service) (*Service, error)
-	DeleteService(ctx context.Context, accountID, userID, serviceID string) error
-	SetCertificateIssuedAt(ctx context.Context, accountID, serviceID string) error
-	SetStatus(ctx context.Context, accountID, serviceID string, status ProxyStatus) error
-	ReloadAllServicesForAccount(ctx context.Context, accountID string) error
-	ReloadService(ctx context.Context, accountID, serviceID string) error
-	GetGlobalServices(ctx context.Context) ([]*Service, error)
-	GetServiceByID(ctx context.Context, accountID, serviceID string) (*Service, error)
-	GetAccountServices(ctx context.Context, accountID string) ([]*Service, error)
-	GetServiceIDByTargetID(ctx context.Context, accountID string, resourceID string) (string, error)
-}
--- a/management/internals/modules/reverseproxy/manager/api.go
+++ b/management/internals/modules/reverseproxy/manager/api.go
@@ -1,170 +0,0 @@
-package manager
-
-import (
-	"encoding/json"
-	"net/http"
-
-	"github.com/gorilla/mux"
-
-	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
-	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs"
-	accesslogsmanager "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs/manager"
-	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/domain"
-	nbcontext "github.com/netbirdio/netbird/management/server/context"
-	"github.com/netbirdio/netbird/shared/management/http/api"
-	"github.com/netbirdio/netbird/shared/management/http/util"
-	"github.com/netbirdio/netbird/shared/management/status"
-)
-
-type handler struct {
-	manager reverseproxy.Manager
-}
-
-// RegisterEndpoints registers all service HTTP endpoints.
-func RegisterEndpoints(manager reverseproxy.Manager, domainManager domain.Manager, accessLogsManager accesslogs.Manager, router *mux.Router) {
-	h := &handler{
-		manager: manager,
-	}
-
-	domainRouter := router.PathPrefix("/services").Subrouter()
-	domain.RegisterEndpoints(domainRouter, domainManager)
-
-	accesslogsmanager.RegisterEndpoints(router, accessLogsManager)
-
-	router.HandleFunc("/services", h.getAllServices).Methods("GET", "OPTIONS")
-	router.HandleFunc("/services", h.createService).Methods("POST", "OPTIONS")
-	router.HandleFunc("/services/{serviceId}", h.getService).Methods("GET", "OPTIONS")
-	router.HandleFunc("/services/{serviceId}", h.updateService).Methods("PUT", "OPTIONS")
-	router.HandleFunc("/services/{serviceId}", h.deleteService).Methods("DELETE", "OPTIONS")
-}
-
-func (h *handler) getAllServices(w http.ResponseWriter, r *http.Request) {
-	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
-	if err != nil {
-		util.WriteError(r.Context(), err, w)
-		return
-	}
-
-	allServices, err := h.manager.GetAllServices(r.Context(), userAuth.AccountId, userAuth.UserId)
-	if err != nil {
-		util.WriteError(r.Context(), err, w)
-		return
-	}
-
-	apiServices := make([]*api.Service, 0, len(allServices))
-	for _, service := range allServices {
-		apiServices = append(apiServices, service.ToAPIResponse())
-	}
-
-	util.WriteJSONObject(r.Context(), w, apiServices)
-}
-
-func (h *handler) createService(w http.ResponseWriter, r *http.Request) {
-	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
-	if err != nil {
-		util.WriteError(r.Context(), err, w)
-		return
-	}
-
-	var req api.ServiceRequest
-	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
-		util.WriteErrorResponse("couldn't parse JSON request", http.StatusBadRequest, w)
-		return
-	}
-
-	service := new(reverseproxy.Service)
-	service.FromAPIRequest(&req, userAuth.AccountId)
-
-	if err = service.Validate(); err != nil {
-		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "%s", err.Error()), w)
-		return
-	}
-
-	createdService, err := h.manager.CreateService(r.Context(), userAuth.AccountId, userAuth.UserId, service)
-	if err != nil {
-		util.WriteError(r.Context(), err, w)
-		return
-	}
-
-	util.WriteJSONObject(r.Context(), w, createdService.ToAPIResponse())
-}
-
-func (h *handler) getService(w http.ResponseWriter, r *http.Request) {
-	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
-	if err != nil {
-		util.WriteError(r.Context(), err, w)
-		return
-	}
-
-	serviceID := mux.Vars(r)["serviceId"]
-	if serviceID == "" {
-		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "service ID is required"), w)
-		return
-	}
-
-	service, err := h.manager.GetService(r.Context(), userAuth.AccountId, userAuth.UserId, serviceID)
-	if err != nil {
-		util.WriteError(r.Context(), err, w)
-		return
-	}
-
-	util.WriteJSONObject(r.Context(), w, service.ToAPIResponse())
-}
-
-func (h *handler) updateService(w http.ResponseWriter, r *http.Request) {
-	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
-	if err != nil {
-		util.WriteError(r.Context(), err, w)
-		return
-	}
-
-	serviceID := mux.Vars(r)["serviceId"]
-	if serviceID == "" {
-		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "service ID is required"), w)
-		return
-	}
-
-	var req api.ServiceRequest
-	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
-		util.WriteErrorResponse("couldn't parse JSON request", http.StatusBadRequest, w)
-		return
-	}
-
-	service := new(reverseproxy.Service)
-	service.ID = serviceID
-	service.FromAPIRequest(&req, userAuth.AccountId)
-
-	if err = service.Validate(); err != nil {
-		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "%s", err.Error()), w)
-		return
-	}
-
-	updatedService, err := h.manager.UpdateService(r.Context(), userAuth.AccountId, userAuth.UserId, service)
-	if err != nil {
-		util.WriteError(r.Context(), err, w)
-		return
-	}
-
-	util.WriteJSONObject(r.Context(), w, updatedService.ToAPIResponse())
-}
-
-func (h *handler) deleteService(w http.ResponseWriter, r *http.Request) {
-	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
-	if err != nil {
-		util.WriteError(r.Context(), err, w)
-		return
-	}
-
-	serviceID := mux.Vars(r)["serviceId"]
-	if serviceID == "" {
-		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "service ID is required"), w)
-		return
-	}
-
-	if err := h.manager.DeleteService(r.Context(), userAuth.AccountId, userAuth.UserId, serviceID); err != nil {
-		util.WriteError(r.Context(), err, w)
-		return
-	}
-
-	util.WriteJSONObject(r.Context(), w, util.EmptyObject{})
-}
--- a/management/internals/modules/reverseproxy/manager/manager.go
+++ b/management/internals/modules/reverseproxy/manager/manager.go
@@ -1,508 +0,0 @@
-package manager
-
-import (
-	"context"
-	"fmt"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
-	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/sessionkey"
-	nbgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc"
-	"github.com/netbirdio/netbird/management/server/account"
-	"github.com/netbirdio/netbird/management/server/activity"
-	"github.com/netbirdio/netbird/management/server/permissions"
-	"github.com/netbirdio/netbird/management/server/permissions/modules"
-	"github.com/netbirdio/netbird/management/server/permissions/operations"
-	"github.com/netbirdio/netbird/management/server/store"
-	"github.com/netbirdio/netbird/shared/management/status"
-)
-
-const unknownHostPlaceholder = "unknown"
-
-// ClusterDeriver derives the proxy cluster from a domain.
-type ClusterDeriver interface {
-	DeriveClusterFromDomain(ctx context.Context, domain string) (string, error)
-}
-
-type managerImpl struct {
-	store              store.Store
-	accountManager     account.Manager
-	permissionsManager permissions.Manager
-	proxyGRPCServer    *nbgrpc.ProxyServiceServer
-	tokenStore         *nbgrpc.OneTimeTokenStore
-	clusterDeriver     ClusterDeriver
-}
-
-// NewManager creates a new service manager.
-func NewManager(store store.Store, accountManager account.Manager, permissionsManager permissions.Manager, proxyGRPCServer *nbgrpc.ProxyServiceServer, tokenStore *nbgrpc.OneTimeTokenStore, clusterDeriver ClusterDeriver) reverseproxy.Manager {
-	return &managerImpl{
-		store:              store,
-		accountManager:     accountManager,
-		permissionsManager: permissionsManager,
-		proxyGRPCServer:    proxyGRPCServer,
-		tokenStore:         tokenStore,
-		clusterDeriver:     clusterDeriver,
-	}
-}
-
-func (m *managerImpl) GetAllServices(ctx context.Context, accountID, userID string) ([]*reverseproxy.Service, error) {
-	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Read)
-	if err != nil {
-		return nil, status.NewPermissionValidationError(err)
-	}
-	if !ok {
-		return nil, status.NewPermissionDeniedError()
-	}
-
-	services, err := m.store.GetAccountServices(ctx, store.LockingStrengthNone, accountID)
-	if err != nil {
-		return nil, fmt.Errorf("failed to get services: %w", err)
-	}
-
-	for _, service := range services {
-		err = m.replaceHostByLookup(ctx, accountID, service)
-		if err != nil {
-			return nil, fmt.Errorf("failed to replace host by lookup for service %s: %w", service.ID, err)
-		}
-	}
-
-	return services, nil
-}
-
-func (m *managerImpl) replaceHostByLookup(ctx context.Context, accountID string, service *reverseproxy.Service) error {
-	for _, target := range service.Targets {
-		switch target.TargetType {
-		case reverseproxy.TargetTypePeer:
-			peer, err := m.store.GetPeerByID(ctx, store.LockingStrengthNone, accountID, target.TargetId)
-			if err != nil {
-				log.WithContext(ctx).Warnf("failed to get peer by id %s for service %s: %v", target.TargetId, service.ID, err)
-				target.Host = unknownHostPlaceholder
-				continue
-			}
-			target.Host = peer.IP.String()
-		case reverseproxy.TargetTypeHost:
-			resource, err := m.store.GetNetworkResourceByID(ctx, store.LockingStrengthNone, accountID, target.TargetId)
-			if err != nil {
-				log.WithContext(ctx).Warnf("failed to get resource by id %s for service %s: %v", target.TargetId, service.ID, err)
-				target.Host = unknownHostPlaceholder
-				continue
-			}
-			target.Host = resource.Prefix.Addr().String()
-		case reverseproxy.TargetTypeDomain:
-			resource, err := m.store.GetNetworkResourceByID(ctx, store.LockingStrengthNone, accountID, target.TargetId)
-			if err != nil {
-				log.WithContext(ctx).Warnf("failed to get resource by id %s for service %s: %v", target.TargetId, service.ID, err)
-				target.Host = unknownHostPlaceholder
-				continue
-			}
-			target.Host = resource.Domain
-		case reverseproxy.TargetTypeSubnet:
-			// For subnets we do not do any lookups on the resource
-		default:
-			return fmt.Errorf("unknown target type: %s", target.TargetType)
-		}
-	}
-	return nil
-}
-
-func (m *managerImpl) GetService(ctx context.Context, accountID, userID, serviceID string) (*reverseproxy.Service, error) {
-	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Read)
-	if err != nil {
-		return nil, status.NewPermissionValidationError(err)
-	}
-	if !ok {
-		return nil, status.NewPermissionDeniedError()
-	}
-
-	service, err := m.store.GetServiceByID(ctx, store.LockingStrengthNone, accountID, serviceID)
-	if err != nil {
-		return nil, fmt.Errorf("failed to get service: %w", err)
-	}
-
-	err = m.replaceHostByLookup(ctx, accountID, service)
-	if err != nil {
-		return nil, fmt.Errorf("failed to replace host by lookup for service %s: %w", service.ID, err)
-	}
-	return service, nil
-}
-
-func (m *managerImpl) CreateService(ctx context.Context, accountID, userID string, service *reverseproxy.Service) (*reverseproxy.Service, error) {
-	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Create)
-	if err != nil {
-		return nil, status.NewPermissionValidationError(err)
-	}
-	if !ok {
-		return nil, status.NewPermissionDeniedError()
-	}
-
-	var proxyCluster string
-	if m.clusterDeriver != nil {
-		proxyCluster, err = m.clusterDeriver.DeriveClusterFromDomain(ctx, service.Domain)
-		if err != nil {
-			log.WithError(err).Warnf("could not derive cluster from domain %s, updates will broadcast to all proxy servers", service.Domain)
-		}
-	}
-
-	service.AccountID = accountID
-	service.ProxyCluster = proxyCluster
-	service.InitNewRecord()
-	err = service.Auth.HashSecrets()
-	if err != nil {
-		return nil, fmt.Errorf("hash secrets: %w", err)
-	}
-
-	// Generate session JWT signing keys
-	keyPair, err := sessionkey.GenerateKeyPair()
-	if err != nil {
-		return nil, fmt.Errorf("generate session keys: %w", err)
-	}
-	service.SessionPrivateKey = keyPair.PrivateKey
-	service.SessionPublicKey = keyPair.PublicKey
-
-	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-		// Check for duplicate domain
-		existingService, err := transaction.GetServiceByDomain(ctx, accountID, service.Domain)
-		if err != nil {
-			if sErr, ok := status.FromError(err); !ok || sErr.Type() != status.NotFound {
-				return fmt.Errorf("failed to check existing service: %w", err)
-			}
-		}
-		if existingService != nil {
-			return status.Errorf(status.AlreadyExists, "service with domain %s already exists", service.Domain)
-		}
-
-		if err = validateTargetReferences(ctx, transaction, accountID, service.Targets); err != nil {
-			return err
-		}
-
-		if err = transaction.CreateService(ctx, service); err != nil {
-			return fmt.Errorf("failed to create service: %w", err)
-		}
-
-		return nil
-	})
-	if err != nil {
-		return nil, err
-	}
-
-	token, err := m.tokenStore.GenerateToken(accountID, service.ID, 5*time.Minute)
-	if err != nil {
-		return nil, fmt.Errorf("failed to generate authentication token: %w", err)
-	}
-
-	m.accountManager.StoreEvent(ctx, userID, service.ID, accountID, activity.ServiceCreated, service.EventMeta())
-
-	err = m.replaceHostByLookup(ctx, accountID, service)
-	if err != nil {
-		return nil, fmt.Errorf("failed to replace host by lookup for service %s: %w", service.ID, err)
-	}
-
-	m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Create, token, m.proxyGRPCServer.GetOIDCValidationConfig()), service.ProxyCluster)
-
-	m.accountManager.UpdateAccountPeers(ctx, accountID)
-
-	return service, nil
-}
-
-func (m *managerImpl) UpdateService(ctx context.Context, accountID, userID string, service *reverseproxy.Service) (*reverseproxy.Service, error) {
-	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Update)
-	if err != nil {
-		return nil, status.NewPermissionValidationError(err)
-	}
-	if !ok {
-		return nil, status.NewPermissionDeniedError()
-	}
-
-	var oldCluster string
-	var domainChanged bool
-	var serviceEnabledChanged bool
-
-	err = service.Auth.HashSecrets()
-	if err != nil {
-		return nil, fmt.Errorf("hash secrets: %w", err)
-	}
-
-	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-		existingService, err := transaction.GetServiceByID(ctx, store.LockingStrengthUpdate, accountID, service.ID)
-		if err != nil {
-			return err
-		}
-
-		oldCluster = existingService.ProxyCluster
-
-		if existingService.Domain != service.Domain {
-			domainChanged = true
-			conflictService, err := transaction.GetServiceByDomain(ctx, accountID, service.Domain)
-			if err != nil {
-				if sErr, ok := status.FromError(err); !ok || sErr.Type() != status.NotFound {
-					return fmt.Errorf("check existing service: %w", err)
-				}
-			}
-			if conflictService != nil && conflictService.ID != service.ID {
-				return status.Errorf(status.AlreadyExists, "service with domain %s already exists", service.Domain)
-			}
-
-			if m.clusterDeriver != nil {
-				newCluster, err := m.clusterDeriver.DeriveClusterFromDomain(ctx, service.Domain)
-				if err != nil {
-					log.WithError(err).Warnf("could not derive cluster from domain %s", service.Domain)
-				}
-				service.ProxyCluster = newCluster
-			}
-		} else {
-			service.ProxyCluster = existingService.ProxyCluster
-		}
-
-		if service.Auth.PasswordAuth != nil && service.Auth.PasswordAuth.Enabled &&
-			existingService.Auth.PasswordAuth != nil && existingService.Auth.PasswordAuth.Enabled &&
-			service.Auth.PasswordAuth.Password == "" {
-			service.Auth.PasswordAuth = existingService.Auth.PasswordAuth
-		}
-
-		if service.Auth.PinAuth != nil && service.Auth.PinAuth.Enabled &&
-			existingService.Auth.PinAuth != nil && existingService.Auth.PinAuth.Enabled &&
-			service.Auth.PinAuth.Pin == "" {
-			service.Auth.PinAuth = existingService.Auth.PinAuth
-		}
-
-		service.Meta = existingService.Meta
-		service.SessionPrivateKey = existingService.SessionPrivateKey
-		service.SessionPublicKey = existingService.SessionPublicKey
-		serviceEnabledChanged = existingService.Enabled != service.Enabled
-
-		if err = validateTargetReferences(ctx, transaction, accountID, service.Targets); err != nil {
-			return err
-		}
-
-		if err = transaction.UpdateService(ctx, service); err != nil {
-			return fmt.Errorf("update service: %w", err)
-		}
-
-		return nil
-	})
-	if err != nil {
-		return nil, err
-	}
-
-	m.accountManager.StoreEvent(ctx, userID, service.ID, accountID, activity.ServiceUpdated, service.EventMeta())
-
-	err = m.replaceHostByLookup(ctx, accountID, service)
-	if err != nil {
-		return nil, fmt.Errorf("failed to replace host by lookup for service %s: %w", service.ID, err)
-	}
-
-	token, err := m.tokenStore.GenerateToken(accountID, service.ID, 5*time.Minute)
-	if err != nil {
-		return nil, fmt.Errorf("failed to generate authentication token: %w", err)
-	}
-
-	switch {
-	case domainChanged && oldCluster != service.ProxyCluster:
-		m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Delete, "", m.proxyGRPCServer.GetOIDCValidationConfig()), oldCluster)
-		m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Create, token, m.proxyGRPCServer.GetOIDCValidationConfig()), service.ProxyCluster)
-	case !service.Enabled && serviceEnabledChanged:
-		m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Delete, "", m.proxyGRPCServer.GetOIDCValidationConfig()), service.ProxyCluster)
-	case service.Enabled && serviceEnabledChanged:
-		m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Create, token, m.proxyGRPCServer.GetOIDCValidationConfig()), service.ProxyCluster)
-	default:
-		m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Update, "", m.proxyGRPCServer.GetOIDCValidationConfig()), service.ProxyCluster)
-
-	}
-	m.accountManager.UpdateAccountPeers(ctx, accountID)
-
-	return service, nil
-}
-
-// validateTargetReferences checks that all target IDs reference existing peers or resources in the account.
-func validateTargetReferences(ctx context.Context, transaction store.Store, accountID string, targets []*reverseproxy.Target) error {
-	for _, target := range targets {
-		switch target.TargetType {
-		case reverseproxy.TargetTypePeer:
-			if _, err := transaction.GetPeerByID(ctx, store.LockingStrengthShare, accountID, target.TargetId); err != nil {
-				if sErr, ok := status.FromError(err); ok && sErr.Type() == status.NotFound {
-					return status.Errorf(status.InvalidArgument, "peer target %q not found in account", target.TargetId)
-				}
-				return fmt.Errorf("look up peer target %q: %w", target.TargetId, err)
-			}
-		case reverseproxy.TargetTypeHost, reverseproxy.TargetTypeSubnet, reverseproxy.TargetTypeDomain:
-			if _, err := transaction.GetNetworkResourceByID(ctx, store.LockingStrengthShare, accountID, target.TargetId); err != nil {
-				if sErr, ok := status.FromError(err); ok && sErr.Type() == status.NotFound {
-					return status.Errorf(status.InvalidArgument, "resource target %q not found in account", target.TargetId)
-				}
-				return fmt.Errorf("look up resource target %q: %w", target.TargetId, err)
-			}
-		}
-	}
-	return nil
-}
-
-func (m *managerImpl) DeleteService(ctx context.Context, accountID, userID, serviceID string) error {
-	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Delete)
-	if err != nil {
-		return status.NewPermissionValidationError(err)
-	}
-	if !ok {
-		return status.NewPermissionDeniedError()
-	}
-
-	var service *reverseproxy.Service
-	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-		var err error
-		service, err = transaction.GetServiceByID(ctx, store.LockingStrengthUpdate, accountID, serviceID)
-		if err != nil {
-			return err
-		}
-
-		if err = transaction.DeleteService(ctx, accountID, serviceID); err != nil {
-			return fmt.Errorf("failed to delete service: %w", err)
-		}
-
-		return nil
-	})
-	if err != nil {
-		return err
-	}
-
-	m.accountManager.StoreEvent(ctx, userID, serviceID, accountID, activity.ServiceDeleted, service.EventMeta())
-
-	m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Delete, "", m.proxyGRPCServer.GetOIDCValidationConfig()), service.ProxyCluster)
-
-	m.accountManager.UpdateAccountPeers(ctx, accountID)
-
-	return nil
-}
-
-// SetCertificateIssuedAt sets the certificate issued timestamp to the current time.
-// Call this when receiving a gRPC notification that the certificate was issued.
-func (m *managerImpl) SetCertificateIssuedAt(ctx context.Context, accountID, serviceID string) error {
-	return m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-		service, err := transaction.GetServiceByID(ctx, store.LockingStrengthUpdate, accountID, serviceID)
-		if err != nil {
-			return fmt.Errorf("failed to get service: %w", err)
-		}
-
-		service.Meta.CertificateIssuedAt = time.Now()
-
-		if err = transaction.UpdateService(ctx, service); err != nil {
-			return fmt.Errorf("failed to update service certificate timestamp: %w", err)
-		}
-
-		return nil
-	})
-}
-
-// SetStatus updates the status of the service (e.g., "active", "tunnel_not_created", etc.)
-func (m *managerImpl) SetStatus(ctx context.Context, accountID, serviceID string, status reverseproxy.ProxyStatus) error {
-	return m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-		service, err := transaction.GetServiceByID(ctx, store.LockingStrengthUpdate, accountID, serviceID)
-		if err != nil {
-			return fmt.Errorf("failed to get service: %w", err)
-		}
-
-		service.Meta.Status = string(status)
-
-		if err = transaction.UpdateService(ctx, service); err != nil {
-			return fmt.Errorf("failed to update service status: %w", err)
-		}
-
-		return nil
-	})
-}
-
-func (m *managerImpl) ReloadService(ctx context.Context, accountID, serviceID string) error {
-	service, err := m.store.GetServiceByID(ctx, store.LockingStrengthNone, accountID, serviceID)
-	if err != nil {
-		return fmt.Errorf("failed to get service: %w", err)
-	}
-
-	err = m.replaceHostByLookup(ctx, accountID, service)
-	if err != nil {
-		return fmt.Errorf("failed to replace host by lookup for service %s: %w", service.ID, err)
-	}
-
-	m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Update, "", m.proxyGRPCServer.GetOIDCValidationConfig()), service.ProxyCluster)
-
-	m.accountManager.UpdateAccountPeers(ctx, accountID)
-
-	return nil
-}
-
-func (m *managerImpl) ReloadAllServicesForAccount(ctx context.Context, accountID string) error {
-	services, err := m.store.GetAccountServices(ctx, store.LockingStrengthNone, accountID)
-	if err != nil {
-		return fmt.Errorf("failed to get services: %w", err)
-	}
-
-	for _, service := range services {
-		err = m.replaceHostByLookup(ctx, accountID, service)
-		if err != nil {
-			return fmt.Errorf("failed to replace host by lookup for service %s: %w", service.ID, err)
-		}
-		m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Update, "", m.proxyGRPCServer.GetOIDCValidationConfig()), service.ProxyCluster)
-	}
-
-	m.accountManager.UpdateAccountPeers(ctx, accountID)
-
-	return nil
-}
-
-func (m *managerImpl) GetGlobalServices(ctx context.Context) ([]*reverseproxy.Service, error) {
-	services, err := m.store.GetServices(ctx, store.LockingStrengthNone)
-	if err != nil {
-		return nil, fmt.Errorf("failed to get services: %w", err)
-	}
-
-	for _, service := range services {
-		err = m.replaceHostByLookup(ctx, service.AccountID, service)
-		if err != nil {
-			return nil, fmt.Errorf("failed to replace host by lookup for service %s: %w", service.ID, err)
-		}
-	}
-
-	return services, nil
-}
-
-func (m *managerImpl) GetServiceByID(ctx context.Context, accountID, serviceID string) (*reverseproxy.Service, error) {
-	service, err := m.store.GetServiceByID(ctx, store.LockingStrengthNone, accountID, serviceID)
-	if err != nil {
-		return nil, fmt.Errorf("failed to get service: %w", err)
-	}
-
-	err = m.replaceHostByLookup(ctx, accountID, service)
-	if err != nil {
-		return nil, fmt.Errorf("failed to replace host by lookup for service %s: %w", service.ID, err)
-	}
-
-	return service, nil
-}
-
-func (m *managerImpl) GetAccountServices(ctx context.Context, accountID string) ([]*reverseproxy.Service, error) {
-	services, err := m.store.GetAccountServices(ctx, store.LockingStrengthNone, accountID)
-	if err != nil {
-		return nil, fmt.Errorf("failed to get services: %w", err)
-	}
-
-	for _, service := range services {
-		err = m.replaceHostByLookup(ctx, accountID, service)
-		if err != nil {
-			return nil, fmt.Errorf("failed to replace host by lookup for service %s: %w", service.ID, err)
-		}
-	}
-
-	return services, nil
-}
-
-func (m *managerImpl) GetServiceIDByTargetID(ctx context.Context, accountID string, resourceID string) (string, error) {
-	target, err := m.store.GetServiceTargetByTargetID(ctx, store.LockingStrengthNone, accountID, resourceID)
-	if err != nil {
-		return "", fmt.Errorf("failed to get service target by resource ID: %w", err)
-	}
-
-	if target == nil {
-		return "", nil
-	}
-
-	return target.ServiceID, nil
-}
--- a/management/internals/modules/reverseproxy/reverseproxy.go
+++ b/management/internals/modules/reverseproxy/reverseproxy.go
@@ -1,463 +0,0 @@
-package reverseproxy
-
-import (
-	"errors"
-	"fmt"
-	"net"
-	"net/url"
-	"strconv"
-	"time"
-
-	"github.com/rs/xid"
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/shared/hash/argon2id"
-	"github.com/netbirdio/netbird/util/crypt"
-
-	"github.com/netbirdio/netbird/shared/management/http/api"
-	"github.com/netbirdio/netbird/shared/management/proto"
-)
-
-type Operation string
-
-const (
-	Create Operation = "create"
-	Update Operation = "update"
-	Delete Operation = "delete"
-)
-
-type ProxyStatus string
-
-const (
-	StatusPending            ProxyStatus = "pending"
-	StatusActive             ProxyStatus = "active"
-	StatusTunnelNotCreated   ProxyStatus = "tunnel_not_created"
-	StatusCertificatePending ProxyStatus = "certificate_pending"
-	StatusCertificateFailed  ProxyStatus = "certificate_failed"
-	StatusError              ProxyStatus = "error"
-
-	TargetTypePeer   = "peer"
-	TargetTypeHost   = "host"
-	TargetTypeDomain = "domain"
-	TargetTypeSubnet = "subnet"
-)
-
-type Target struct {
-	ID         uint    `gorm:"primaryKey" json:"-"`
-	AccountID  string  `gorm:"index:idx_target_account;not null" json:"-"`
-	ServiceID  string  `gorm:"index:idx_service_targets;not null" json:"-"`
-	Path       *string `json:"path,omitempty"`
-	Host       string  `json:"host"` // the Host field is only used for subnet targets, otherwise ignored
-	Port       int     `gorm:"index:idx_target_port" json:"port"`
-	Protocol   string  `gorm:"index:idx_target_protocol" json:"protocol"`
-	TargetId   string  `gorm:"index:idx_target_id" json:"target_id"`
-	TargetType string  `gorm:"index:idx_target_type" json:"target_type"`
-	Enabled    bool    `gorm:"index:idx_target_enabled" json:"enabled"`
-}
-
-type PasswordAuthConfig struct {
-	Enabled  bool   `json:"enabled"`
-	Password string `json:"password"`
-}
-
-type PINAuthConfig struct {
-	Enabled bool   `json:"enabled"`
-	Pin     string `json:"pin"`
-}
-
-type BearerAuthConfig struct {
-	Enabled            bool     `json:"enabled"`
-	DistributionGroups []string `json:"distribution_groups,omitempty" gorm:"serializer:json"`
-}
-
-type AuthConfig struct {
-	PasswordAuth *PasswordAuthConfig `json:"password_auth,omitempty" gorm:"serializer:json"`
-	PinAuth      *PINAuthConfig      `json:"pin_auth,omitempty" gorm:"serializer:json"`
-	BearerAuth   *BearerAuthConfig   `json:"bearer_auth,omitempty" gorm:"serializer:json"`
-}
-
-func (a *AuthConfig) HashSecrets() error {
-	if a.PasswordAuth != nil && a.PasswordAuth.Enabled && a.PasswordAuth.Password != "" {
-		hashedPassword, err := argon2id.Hash(a.PasswordAuth.Password)
-		if err != nil {
-			return fmt.Errorf("hash password: %w", err)
-		}
-		a.PasswordAuth.Password = hashedPassword
-	}
-
-	if a.PinAuth != nil && a.PinAuth.Enabled && a.PinAuth.Pin != "" {
-		hashedPin, err := argon2id.Hash(a.PinAuth.Pin)
-		if err != nil {
-			return fmt.Errorf("hash pin: %w", err)
-		}
-		a.PinAuth.Pin = hashedPin
-	}
-
-	return nil
-}
-
-func (a *AuthConfig) ClearSecrets() {
-	if a.PasswordAuth != nil {
-		a.PasswordAuth.Password = ""
-	}
-	if a.PinAuth != nil {
-		a.PinAuth.Pin = ""
-	}
-}
-
-type OIDCValidationConfig struct {
-	Issuer             string
-	Audiences          []string
-	KeysLocation       string
-	MaxTokenAgeSeconds int64
-}
-
-type ServiceMeta struct {
-	CreatedAt           time.Time
-	CertificateIssuedAt time.Time
-	Status              string
-}
-
-type Service struct {
-	ID                string `gorm:"primaryKey"`
-	AccountID         string `gorm:"index"`
-	Name              string
-	Domain            string    `gorm:"index"`
-	ProxyCluster      string    `gorm:"index"`
-	Targets           []*Target `gorm:"foreignKey:ServiceID;constraint:OnDelete:CASCADE"`
-	Enabled           bool
-	PassHostHeader    bool
-	RewriteRedirects  bool
-	Auth              AuthConfig  `gorm:"serializer:json"`
-	Meta              ServiceMeta `gorm:"embedded;embeddedPrefix:meta_"`
-	SessionPrivateKey string      `gorm:"column:session_private_key"`
-	SessionPublicKey  string      `gorm:"column:session_public_key"`
-}
-
-func NewService(accountID, name, domain, proxyCluster string, targets []*Target, enabled bool) *Service {
-	for _, target := range targets {
-		target.AccountID = accountID
-	}
-
-	s := &Service{
-		AccountID:    accountID,
-		Name:         name,
-		Domain:       domain,
-		ProxyCluster: proxyCluster,
-		Targets:      targets,
-		Enabled:      enabled,
-	}
-	s.InitNewRecord()
-	return s
-}
-
-// InitNewRecord generates a new unique ID and resets metadata for a newly created
-// Service record. This overwrites any existing ID and Meta fields and should
-// only be called during initial creation, not for updates.
-func (s *Service) InitNewRecord() {
-	s.ID = xid.New().String()
-	s.Meta = ServiceMeta{
-		CreatedAt: time.Now(),
-		Status:    string(StatusPending),
-	}
-}
-
-func (s *Service) ToAPIResponse() *api.Service {
-	s.Auth.ClearSecrets()
-
-	authConfig := api.ServiceAuthConfig{}
-
-	if s.Auth.PasswordAuth != nil {
-		authConfig.PasswordAuth = &api.PasswordAuthConfig{
-			Enabled:  s.Auth.PasswordAuth.Enabled,
-			Password: s.Auth.PasswordAuth.Password,
-		}
-	}
-
-	if s.Auth.PinAuth != nil {
-		authConfig.PinAuth = &api.PINAuthConfig{
-			Enabled: s.Auth.PinAuth.Enabled,
-			Pin:     s.Auth.PinAuth.Pin,
-		}
-	}
-
-	if s.Auth.BearerAuth != nil {
-		authConfig.BearerAuth = &api.BearerAuthConfig{
-			Enabled:            s.Auth.BearerAuth.Enabled,
-			DistributionGroups: &s.Auth.BearerAuth.DistributionGroups,
-		}
-	}
-
-	// Convert internal targets to API targets
-	apiTargets := make([]api.ServiceTarget, 0, len(s.Targets))
-	for _, target := range s.Targets {
-		apiTargets = append(apiTargets, api.ServiceTarget{
-			Path:       target.Path,
-			Host:       &target.Host,
-			Port:       target.Port,
-			Protocol:   api.ServiceTargetProtocol(target.Protocol),
-			TargetId:   target.TargetId,
-			TargetType: api.ServiceTargetTargetType(target.TargetType),
-			Enabled:    target.Enabled,
-		})
-	}
-
-	meta := api.ServiceMeta{
-		CreatedAt: s.Meta.CreatedAt,
-		Status:    api.ServiceMetaStatus(s.Meta.Status),
-	}
-
-	if !s.Meta.CertificateIssuedAt.IsZero() {
-		meta.CertificateIssuedAt = &s.Meta.CertificateIssuedAt
-	}
-
-	resp := &api.Service{
-		Id:               s.ID,
-		Name:             s.Name,
-		Domain:           s.Domain,
-		Targets:          apiTargets,
-		Enabled:          s.Enabled,
-		PassHostHeader:   &s.PassHostHeader,
-		RewriteRedirects: &s.RewriteRedirects,
-		Auth:             authConfig,
-		Meta:             meta,
-	}
-
-	if s.ProxyCluster != "" {
-		resp.ProxyCluster = &s.ProxyCluster
-	}
-
-	return resp
-}
-
-func (s *Service) ToProtoMapping(operation Operation, authToken string, oidcConfig OIDCValidationConfig) *proto.ProxyMapping {
-	pathMappings := make([]*proto.PathMapping, 0, len(s.Targets))
-	for _, target := range s.Targets {
-		if !target.Enabled {
-			continue
-		}
-
-		// TODO: Make path prefix stripping configurable per-target.
-		// Currently the matching prefix is baked into the target URL path,
-		// so the proxy strips-then-re-adds it (effectively a no-op).
-		targetURL := url.URL{
-			Scheme: target.Protocol,
-			Host:   target.Host,
-			Path:   "/", // TODO: support service path
-		}
-		if target.Port > 0 && !isDefaultPort(target.Protocol, target.Port) {
-			targetURL.Host = net.JoinHostPort(targetURL.Host, strconv.Itoa(target.Port))
-		}
-
-		path := "/"
-		if target.Path != nil {
-			path = *target.Path
-		}
-		pathMappings = append(pathMappings, &proto.PathMapping{
-			Path:   path,
-			Target: targetURL.String(),
-		})
-	}
-
-	auth := &proto.Authentication{
-		SessionKey:           s.SessionPublicKey,
-		MaxSessionAgeSeconds: int64((time.Hour * 24).Seconds()),
-	}
-
-	if s.Auth.PasswordAuth != nil && s.Auth.PasswordAuth.Enabled {
-		auth.Password = true
-	}
-
-	if s.Auth.PinAuth != nil && s.Auth.PinAuth.Enabled {
-		auth.Pin = true
-	}
-
-	if s.Auth.BearerAuth != nil && s.Auth.BearerAuth.Enabled {
-		auth.Oidc = true
-	}
-
-	return &proto.ProxyMapping{
-		Type:             operationToProtoType(operation),
-		Id:               s.ID,
-		Domain:           s.Domain,
-		Path:             pathMappings,
-		AuthToken:        authToken,
-		Auth:             auth,
-		AccountId:        s.AccountID,
-		PassHostHeader:   s.PassHostHeader,
-		RewriteRedirects: s.RewriteRedirects,
-	}
-}
-
-func operationToProtoType(op Operation) proto.ProxyMappingUpdateType {
-	switch op {
-	case Create:
-		return proto.ProxyMappingUpdateType_UPDATE_TYPE_CREATED
-	case Update:
-		return proto.ProxyMappingUpdateType_UPDATE_TYPE_MODIFIED
-	case Delete:
-		return proto.ProxyMappingUpdateType_UPDATE_TYPE_REMOVED
-	default:
-		log.Fatalf("unknown operation type: %v", op)
-		return proto.ProxyMappingUpdateType_UPDATE_TYPE_CREATED
-	}
-}
-
-// isDefaultPort reports whether port is the standard default for the given scheme
-// (443 for https, 80 for http).
-func isDefaultPort(scheme string, port int) bool {
-	return (scheme == "https" && port == 443) || (scheme == "http" && port == 80)
-}
-
-func (s *Service) FromAPIRequest(req *api.ServiceRequest, accountID string) {
-	s.Name = req.Name
-	s.Domain = req.Domain
-	s.AccountID = accountID
-
-	targets := make([]*Target, 0, len(req.Targets))
-	for _, apiTarget := range req.Targets {
-		target := &Target{
-			AccountID:  accountID,
-			Path:       apiTarget.Path,
-			Port:       apiTarget.Port,
-			Protocol:   string(apiTarget.Protocol),
-			TargetId:   apiTarget.TargetId,
-			TargetType: string(apiTarget.TargetType),
-			Enabled:    apiTarget.Enabled,
-		}
-		if apiTarget.Host != nil {
-			target.Host = *apiTarget.Host
-		}
-		targets = append(targets, target)
-	}
-	s.Targets = targets
-
-	s.Enabled = req.Enabled
-
-	if req.PassHostHeader != nil {
-		s.PassHostHeader = *req.PassHostHeader
-	}
-
-	if req.RewriteRedirects != nil {
-		s.RewriteRedirects = *req.RewriteRedirects
-	}
-
-	if req.Auth.PasswordAuth != nil {
-		s.Auth.PasswordAuth = &PasswordAuthConfig{
-			Enabled:  req.Auth.PasswordAuth.Enabled,
-			Password: req.Auth.PasswordAuth.Password,
-		}
-	}
-
-	if req.Auth.PinAuth != nil {
-		s.Auth.PinAuth = &PINAuthConfig{
-			Enabled: req.Auth.PinAuth.Enabled,
-			Pin:     req.Auth.PinAuth.Pin,
-		}
-	}
-
-	if req.Auth.BearerAuth != nil {
-		bearerAuth := &BearerAuthConfig{
-			Enabled: req.Auth.BearerAuth.Enabled,
-		}
-		if req.Auth.BearerAuth.DistributionGroups != nil {
-			bearerAuth.DistributionGroups = *req.Auth.BearerAuth.DistributionGroups
-		}
-		s.Auth.BearerAuth = bearerAuth
-	}
-}
-
-func (s *Service) Validate() error {
-	if s.Name == "" {
-		return errors.New("service name is required")
-	}
-	if len(s.Name) > 255 {
-		return errors.New("service name exceeds maximum length of 255 characters")
-	}
-
-	if s.Domain == "" {
-		return errors.New("service domain is required")
-	}
-
-	if len(s.Targets) == 0 {
-		return errors.New("at least one target is required")
-	}
-
-	for i, target := range s.Targets {
-		switch target.TargetType {
-		case TargetTypePeer, TargetTypeHost, TargetTypeDomain:
-			// host field will be ignored
-		case TargetTypeSubnet:
-			if target.Host == "" {
-				return fmt.Errorf("target %d has empty host but target_type is %q", i, target.TargetType)
-			}
-		default:
-			return fmt.Errorf("target %d has invalid target_type %q", i, target.TargetType)
-		}
-		if target.TargetId == "" {
-			return fmt.Errorf("target %d has empty target_id", i)
-		}
-	}
-
-	return nil
-}
-
-func (s *Service) EventMeta() map[string]any {
-	return map[string]any{"name": s.Name, "domain": s.Domain, "proxy_cluster": s.ProxyCluster}
-}
-
-func (s *Service) Copy() *Service {
-	targets := make([]*Target, len(s.Targets))
-	for i, target := range s.Targets {
-		targetCopy := *target
-		targets[i] = &targetCopy
-	}
-
-	return &Service{
-		ID:                s.ID,
-		AccountID:         s.AccountID,
-		Name:              s.Name,
-		Domain:            s.Domain,
-		ProxyCluster:      s.ProxyCluster,
-		Targets:           targets,
-		Enabled:           s.Enabled,
-		PassHostHeader:    s.PassHostHeader,
-		RewriteRedirects:  s.RewriteRedirects,
-		Auth:              s.Auth,
-		Meta:              s.Meta,
-		SessionPrivateKey: s.SessionPrivateKey,
-		SessionPublicKey:  s.SessionPublicKey,
-	}
-}
-
-func (s *Service) EncryptSensitiveData(enc *crypt.FieldEncrypt) error {
-	if enc == nil {
-		return nil
-	}
-
-	if s.SessionPrivateKey != "" {
-		var err error
-		s.SessionPrivateKey, err = enc.Encrypt(s.SessionPrivateKey)
-		if err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-func (s *Service) DecryptSensitiveData(enc *crypt.FieldEncrypt) error {
-	if enc == nil {
-		return nil
-	}
-
-	if s.SessionPrivateKey != "" {
-		var err error
-		s.SessionPrivateKey, err = enc.Decrypt(s.SessionPrivateKey)
-		if err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
--- a/management/internals/modules/reverseproxy/reverseproxy_test.go
+++ b/management/internals/modules/reverseproxy/reverseproxy_test.go
@@ -1,405 +0,0 @@
-package reverseproxy
-
-import (
-	"errors"
-	"fmt"
-	"strings"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/netbirdio/netbird/shared/hash/argon2id"
-	"github.com/netbirdio/netbird/shared/management/proto"
-)
-
-func validProxy() *Service {
-	return &Service{
-		Name:   "test",
-		Domain: "example.com",
-		Targets: []*Target{
-			{TargetId: "peer-1", TargetType: TargetTypePeer, Host: "10.0.0.1", Port: 80, Protocol: "http", Enabled: true},
-		},
-	}
-}
-
-func TestValidate_Valid(t *testing.T) {
-	require.NoError(t, validProxy().Validate())
-}
-
-func TestValidate_EmptyName(t *testing.T) {
-	rp := validProxy()
-	rp.Name = ""
-	assert.ErrorContains(t, rp.Validate(), "name is required")
-}
-
-func TestValidate_EmptyDomain(t *testing.T) {
-	rp := validProxy()
-	rp.Domain = ""
-	assert.ErrorContains(t, rp.Validate(), "domain is required")
-}
-
-func TestValidate_NoTargets(t *testing.T) {
-	rp := validProxy()
-	rp.Targets = nil
-	assert.ErrorContains(t, rp.Validate(), "at least one target")
-}
-
-func TestValidate_EmptyTargetId(t *testing.T) {
-	rp := validProxy()
-	rp.Targets[0].TargetId = ""
-	assert.ErrorContains(t, rp.Validate(), "empty target_id")
-}
-
-func TestValidate_InvalidTargetType(t *testing.T) {
-	rp := validProxy()
-	rp.Targets[0].TargetType = "invalid"
-	assert.ErrorContains(t, rp.Validate(), "invalid target_type")
-}
-
-func TestValidate_ResourceTarget(t *testing.T) {
-	rp := validProxy()
-	rp.Targets = append(rp.Targets, &Target{
-		TargetId:   "resource-1",
-		TargetType: TargetTypeHost,
-		Host:       "example.org",
-		Port:       443,
-		Protocol:   "https",
-		Enabled:    true,
-	})
-	require.NoError(t, rp.Validate())
-}
-
-func TestValidate_MultipleTargetsOneInvalid(t *testing.T) {
-	rp := validProxy()
-	rp.Targets = append(rp.Targets, &Target{
-		TargetId:   "",
-		TargetType: TargetTypePeer,
-		Host:       "10.0.0.2",
-		Port:       80,
-		Protocol:   "http",
-		Enabled:    true,
-	})
-	err := rp.Validate()
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "target 1")
-	assert.Contains(t, err.Error(), "empty target_id")
-}
-
-func TestIsDefaultPort(t *testing.T) {
-	tests := []struct {
-		scheme string
-		port   int
-		want   bool
-	}{
-		{"http", 80, true},
-		{"https", 443, true},
-		{"http", 443, false},
-		{"https", 80, false},
-		{"http", 8080, false},
-		{"https", 8443, false},
-		{"http", 0, false},
-		{"https", 0, false},
-	}
-	for _, tt := range tests {
-		t.Run(fmt.Sprintf("%s/%d", tt.scheme, tt.port), func(t *testing.T) {
-			assert.Equal(t, tt.want, isDefaultPort(tt.scheme, tt.port))
-		})
-	}
-}
-
-func TestToProtoMapping_PortInTargetURL(t *testing.T) {
-	oidcConfig := OIDCValidationConfig{}
-
-	tests := []struct {
-		name       string
-		protocol   string
-		host       string
-		port       int
-		wantTarget string
-	}{
-		{
-			name:       "http with default port 80 omits port",
-			protocol:   "http",
-			host:       "10.0.0.1",
-			port:       80,
-			wantTarget: "http://10.0.0.1/",
-		},
-		{
-			name:       "https with default port 443 omits port",
-			protocol:   "https",
-			host:       "10.0.0.1",
-			port:       443,
-			wantTarget: "https://10.0.0.1/",
-		},
-		{
-			name:       "port 0 omits port",
-			protocol:   "http",
-			host:       "10.0.0.1",
-			port:       0,
-			wantTarget: "http://10.0.0.1/",
-		},
-		{
-			name:       "non-default port is included",
-			protocol:   "http",
-			host:       "10.0.0.1",
-			port:       8080,
-			wantTarget: "http://10.0.0.1:8080/",
-		},
-		{
-			name:       "https with non-default port is included",
-			protocol:   "https",
-			host:       "10.0.0.1",
-			port:       8443,
-			wantTarget: "https://10.0.0.1:8443/",
-		},
-		{
-			name:       "http port 443 is included",
-			protocol:   "http",
-			host:       "10.0.0.1",
-			port:       443,
-			wantTarget: "http://10.0.0.1:443/",
-		},
-		{
-			name:       "https port 80 is included",
-			protocol:   "https",
-			host:       "10.0.0.1",
-			port:       80,
-			wantTarget: "https://10.0.0.1:80/",
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			rp := &Service{
-				ID:        "test-id",
-				AccountID: "acc-1",
-				Domain:    "example.com",
-				Targets: []*Target{
-					{
-						TargetId:   "peer-1",
-						TargetType: TargetTypePeer,
-						Host:       tt.host,
-						Port:       tt.port,
-						Protocol:   tt.protocol,
-						Enabled:    true,
-					},
-				},
-			}
-			pm := rp.ToProtoMapping(Create, "token", oidcConfig)
-			require.Len(t, pm.Path, 1, "should have one path mapping")
-			assert.Equal(t, tt.wantTarget, pm.Path[0].Target)
-		})
-	}
-}
-
-func TestToProtoMapping_DisabledTargetSkipped(t *testing.T) {
-	rp := &Service{
-		ID:        "test-id",
-		AccountID: "acc-1",
-		Domain:    "example.com",
-		Targets: []*Target{
-			{TargetId: "peer-1", TargetType: TargetTypePeer, Host: "10.0.0.1", Port: 8080, Protocol: "http", Enabled: false},
-			{TargetId: "peer-2", TargetType: TargetTypePeer, Host: "10.0.0.2", Port: 9090, Protocol: "http", Enabled: true},
-		},
-	}
-	pm := rp.ToProtoMapping(Create, "token", OIDCValidationConfig{})
-	require.Len(t, pm.Path, 1)
-	assert.Equal(t, "http://10.0.0.2:9090/", pm.Path[0].Target)
-}
-
-func TestToProtoMapping_OperationTypes(t *testing.T) {
-	rp := validProxy()
-	tests := []struct {
-		op   Operation
-		want proto.ProxyMappingUpdateType
-	}{
-		{Create, proto.ProxyMappingUpdateType_UPDATE_TYPE_CREATED},
-		{Update, proto.ProxyMappingUpdateType_UPDATE_TYPE_MODIFIED},
-		{Delete, proto.ProxyMappingUpdateType_UPDATE_TYPE_REMOVED},
-	}
-	for _, tt := range tests {
-		t.Run(string(tt.op), func(t *testing.T) {
-			pm := rp.ToProtoMapping(tt.op, "", OIDCValidationConfig{})
-			assert.Equal(t, tt.want, pm.Type)
-		})
-	}
-}
-
-func TestAuthConfig_HashSecrets(t *testing.T) {
-	tests := []struct {
-		name     string
-		config   *AuthConfig
-		wantErr  bool
-		validate func(*testing.T, *AuthConfig)
-	}{
-		{
-			name: "hash password successfully",
-			config: &AuthConfig{
-				PasswordAuth: &PasswordAuthConfig{
-					Enabled:  true,
-					Password: "testPassword123",
-				},
-			},
-			wantErr: false,
-			validate: func(t *testing.T, config *AuthConfig) {
-				if !strings.HasPrefix(config.PasswordAuth.Password, "$argon2id$") {
-					t.Errorf("Password not hashed with argon2id, got: %s", config.PasswordAuth.Password)
-				}
-				// Verify the hash can be verified
-				if err := argon2id.Verify("testPassword123", config.PasswordAuth.Password); err != nil {
-					t.Errorf("Hash verification failed: %v", err)
-				}
-			},
-		},
-		{
-			name: "hash PIN successfully",
-			config: &AuthConfig{
-				PinAuth: &PINAuthConfig{
-					Enabled: true,
-					Pin:     "123456",
-				},
-			},
-			wantErr: false,
-			validate: func(t *testing.T, config *AuthConfig) {
-				if !strings.HasPrefix(config.PinAuth.Pin, "$argon2id$") {
-					t.Errorf("PIN not hashed with argon2id, got: %s", config.PinAuth.Pin)
-				}
-				// Verify the hash can be verified
-				if err := argon2id.Verify("123456", config.PinAuth.Pin); err != nil {
-					t.Errorf("Hash verification failed: %v", err)
-				}
-			},
-		},
-		{
-			name: "hash both password and PIN",
-			config: &AuthConfig{
-				PasswordAuth: &PasswordAuthConfig{
-					Enabled:  true,
-					Password: "password",
-				},
-				PinAuth: &PINAuthConfig{
-					Enabled: true,
-					Pin:     "9999",
-				},
-			},
-			wantErr: false,
-			validate: func(t *testing.T, config *AuthConfig) {
-				if !strings.HasPrefix(config.PasswordAuth.Password, "$argon2id$") {
-					t.Errorf("Password not hashed with argon2id")
-				}
-				if !strings.HasPrefix(config.PinAuth.Pin, "$argon2id$") {
-					t.Errorf("PIN not hashed with argon2id")
-				}
-				if err := argon2id.Verify("password", config.PasswordAuth.Password); err != nil {
-					t.Errorf("Password hash verification failed: %v", err)
-				}
-				if err := argon2id.Verify("9999", config.PinAuth.Pin); err != nil {
-					t.Errorf("PIN hash verification failed: %v", err)
-				}
-			},
-		},
-		{
-			name: "skip disabled password auth",
-			config: &AuthConfig{
-				PasswordAuth: &PasswordAuthConfig{
-					Enabled:  false,
-					Password: "password",
-				},
-			},
-			wantErr: false,
-			validate: func(t *testing.T, config *AuthConfig) {
-				if config.PasswordAuth.Password != "password" {
-					t.Errorf("Disabled password auth should not be hashed")
-				}
-			},
-		},
-		{
-			name: "skip empty password",
-			config: &AuthConfig{
-				PasswordAuth: &PasswordAuthConfig{
-					Enabled:  true,
-					Password: "",
-				},
-			},
-			wantErr: false,
-			validate: func(t *testing.T, config *AuthConfig) {
-				if config.PasswordAuth.Password != "" {
-					t.Errorf("Empty password should remain empty")
-				}
-			},
-		},
-		{
-			name: "skip nil password auth",
-			config: &AuthConfig{
-				PasswordAuth: nil,
-				PinAuth: &PINAuthConfig{
-					Enabled: true,
-					Pin:     "1234",
-				},
-			},
-			wantErr: false,
-			validate: func(t *testing.T, config *AuthConfig) {
-				if config.PasswordAuth != nil {
-					t.Errorf("PasswordAuth should remain nil")
-				}
-				if !strings.HasPrefix(config.PinAuth.Pin, "$argon2id$") {
-					t.Errorf("PIN should still be hashed")
-				}
-			},
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			err := tt.config.HashSecrets()
-			if (err != nil) != tt.wantErr {
-				t.Errorf("HashSecrets() error = %v, wantErr %v", err, tt.wantErr)
-				return
-			}
-			if tt.validate != nil {
-				tt.validate(t, tt.config)
-			}
-		})
-	}
-}
-
-func TestAuthConfig_HashSecrets_VerifyIncorrectSecret(t *testing.T) {
-	config := &AuthConfig{
-		PasswordAuth: &PasswordAuthConfig{
-			Enabled:  true,
-			Password: "correctPassword",
-		},
-	}
-
-	if err := config.HashSecrets(); err != nil {
-		t.Fatalf("HashSecrets() error = %v", err)
-	}
-
-	// Verify with wrong password should fail
-	err := argon2id.Verify("wrongPassword", config.PasswordAuth.Password)
-	if !errors.Is(err, argon2id.ErrMismatchedHashAndPassword) {
-		t.Errorf("Expected ErrMismatchedHashAndPassword, got %v", err)
-	}
-}
-
-func TestAuthConfig_ClearSecrets(t *testing.T) {
-	config := &AuthConfig{
-		PasswordAuth: &PasswordAuthConfig{
-			Enabled:  true,
-			Password: "hashedPassword",
-		},
-		PinAuth: &PINAuthConfig{
-			Enabled: true,
-			Pin:     "hashedPin",
-		},
-	}
-
-	config.ClearSecrets()
-
-	if config.PasswordAuth.Password != "" {
-		t.Errorf("Password not cleared, got: %s", config.PasswordAuth.Password)
-	}
-	if config.PinAuth.Pin != "" {
-		t.Errorf("PIN not cleared, got: %s", config.PinAuth.Pin)
-	}
-}
--- a/management/internals/modules/reverseproxy/sessionkey/sessionkey.go
+++ b/management/internals/modules/reverseproxy/sessionkey/sessionkey.go
@@ -1,69 +0,0 @@
-package sessionkey
-
-import (
-	"crypto/ed25519"
-	"crypto/rand"
-	"encoding/base64"
-	"fmt"
-	"time"
-
-	"github.com/golang-jwt/jwt/v5"
-
-	"github.com/netbirdio/netbird/proxy/auth"
-)
-
-type KeyPair struct {
-	PrivateKey string
-	PublicKey  string
-}
-
-type Claims struct {
-	jwt.RegisteredClaims
-	Method auth.Method `json:"method"`
-}
-
-func GenerateKeyPair() (*KeyPair, error) {
-	pub, priv, err := ed25519.GenerateKey(rand.Reader)
-	if err != nil {
-		return nil, fmt.Errorf("generate ed25519 key: %w", err)
-	}
-
-	return &KeyPair{
-		PrivateKey: base64.StdEncoding.EncodeToString(priv),
-		PublicKey:  base64.StdEncoding.EncodeToString(pub),
-	}, nil
-}
-
-func SignToken(privKeyB64, userID, domain string, method auth.Method, expiration time.Duration) (string, error) {
-	privKeyBytes, err := base64.StdEncoding.DecodeString(privKeyB64)
-	if err != nil {
-		return "", fmt.Errorf("decode private key: %w", err)
-	}
-
-	if len(privKeyBytes) != ed25519.PrivateKeySize {
-		return "", fmt.Errorf("invalid private key size: got %d, want %d", len(privKeyBytes), ed25519.PrivateKeySize)
-	}
-
-	privKey := ed25519.PrivateKey(privKeyBytes)
-
-	now := time.Now()
-	claims := Claims{
-		RegisteredClaims: jwt.RegisteredClaims{
-			Issuer:    auth.SessionJWTIssuer,
-			Subject:   userID,
-			Audience:  jwt.ClaimStrings{domain},
-			ExpiresAt: jwt.NewNumericDate(now.Add(expiration)),
-			IssuedAt:  jwt.NewNumericDate(now),
-			NotBefore: jwt.NewNumericDate(now),
-		},
-		Method: method,
-	}
-
-	token := jwt.NewWithClaims(jwt.SigningMethodEdDSA, claims)
-	signedToken, err := token.SignedString(privKey)
-	if err != nil {
-		return "", fmt.Errorf("sign token: %w", err)
-	}
-
-	return signedToken, nil
-}
--- a/management/internals/server/boot.go
+++ b/management/internals/server/boot.go
@@ -21,8 +21,6 @@ import (
 	"github.com/netbirdio/management-integrations/integrations"
 	"github.com/netbirdio/netbird/encryption"
 	"github.com/netbirdio/netbird/formatter/hook"
-	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs"
-	accesslogsmanager "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs/manager"
 	nbgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc"
 	"github.com/netbirdio/netbird/management/server/activity"
 	nbContext "github.com/netbirdio/netbird/management/server/context"
@@ -94,7 +92,7 @@ func (s *BaseServer) EventStore() activity.Store {

 func (s *BaseServer) APIHandler() http.Handler {
 	return Create(s, func() http.Handler {
-		httpAPIHandler, err := nbhttp.NewAPIHandler(context.Background(), s.AccountManager(), s.NetworksManager(), s.ResourcesManager(), s.RoutesManager(), s.GroupsManager(), s.GeoLocationManager(), s.AuthManager(), s.Metrics(), s.IntegratedValidator(), s.ProxyController(), s.PermissionsManager(), s.PeersManager(), s.SettingsManager(), s.ZonesManager(), s.RecordsManager(), s.NetworkMapController(), s.IdpManager(), s.ReverseProxyManager(), s.ReverseProxyDomainManager(), s.AccessLogsManager(), s.ReverseProxyGRPCServer())
+		httpAPIHandler, err := nbhttp.NewAPIHandler(context.Background(), s.AccountManager(), s.NetworksManager(), s.ResourcesManager(), s.RoutesManager(), s.GroupsManager(), s.GeoLocationManager(), s.AuthManager(), s.Metrics(), s.IntegratedValidator(), s.ProxyController(), s.PermissionsManager(), s.PeersManager(), s.SettingsManager(), s.ZonesManager(), s.RecordsManager(), s.NetworkMapController(), s.IdpManager())
 		if err != nil {
 			log.Fatalf("failed to create API handler: %v", err)
 		}
@@ -122,13 +120,11 @@ func (s *BaseServer) GRPCServer() *grpc.Server {
 			realip.WithTrustedProxiesCount(trustedProxiesCount),
 			realip.WithHeaders([]string{realip.XForwardedFor, realip.XRealIp}),
 		}
-		proxyUnary, proxyStream, proxyAuthClose := nbgrpc.NewProxyAuthInterceptors(s.Store())
-		s.proxyAuthClose = proxyAuthClose
 		gRPCOpts := []grpc.ServerOption{
 			grpc.KeepaliveEnforcementPolicy(kaep),
 			grpc.KeepaliveParams(kasp),
-			grpc.ChainUnaryInterceptor(realip.UnaryServerInterceptorOpts(realipOpts...), unaryInterceptor, proxyUnary),
-			grpc.ChainStreamInterceptor(realip.StreamServerInterceptorOpts(realipOpts...), streamInterceptor, proxyStream),
+			grpc.ChainUnaryInterceptor(realip.UnaryServerInterceptorOpts(realipOpts...), unaryInterceptor),
+			grpc.ChainStreamInterceptor(realip.StreamServerInterceptorOpts(realipOpts...), streamInterceptor),
 		}

 		if s.Config.HttpConfig.LetsEncryptDomain != "" {
@@ -154,53 +150,10 @@ func (s *BaseServer) GRPCServer() *grpc.Server {
 		}
 		mgmtProto.RegisterManagementServiceServer(gRPCAPIHandler, srv)

-		mgmtProto.RegisterProxyServiceServer(gRPCAPIHandler, s.ReverseProxyGRPCServer())
-		log.Info("ProxyService registered on gRPC server")
-
 		return gRPCAPIHandler
 	})
 }

-func (s *BaseServer) ReverseProxyGRPCServer() *nbgrpc.ProxyServiceServer {
-	return Create(s, func() *nbgrpc.ProxyServiceServer {
-		proxyService := nbgrpc.NewProxyServiceServer(s.AccessLogsManager(), s.ProxyTokenStore(), s.proxyOIDCConfig(), s.PeersManager(), s.UsersManager())
-		s.AfterInit(func(s *BaseServer) {
-			proxyService.SetProxyManager(s.ReverseProxyManager())
-		})
-		return proxyService
-	})
-}
-
-func (s *BaseServer) proxyOIDCConfig() nbgrpc.ProxyOIDCConfig {
-	return Create(s, func() nbgrpc.ProxyOIDCConfig {
-		return nbgrpc.ProxyOIDCConfig{
-			Issuer: s.Config.HttpConfig.AuthIssuer,
-			// todo: double check auth clientID value
-			ClientID:     s.Config.HttpConfig.AuthClientID, // Reuse dashboard client
-			Scopes:       []string{"openid", "profile", "email"},
-			CallbackURL:  s.Config.HttpConfig.AuthCallbackURL,
-			HMACKey:      []byte(s.Config.DataStoreEncryptionKey), // Use the datastore encryption key for OIDC state HMACs, this should ensure all management instances are using the same key.
-			Audience:     s.Config.HttpConfig.AuthAudience,
-			KeysLocation: s.Config.HttpConfig.AuthKeysLocation,
-		}
-	})
-}
-
-func (s *BaseServer) ProxyTokenStore() *nbgrpc.OneTimeTokenStore {
-	return Create(s, func() *nbgrpc.OneTimeTokenStore {
-		tokenStore := nbgrpc.NewOneTimeTokenStore(1 * time.Minute)
-		log.Info("One-time token store initialized for proxy authentication")
-		return tokenStore
-	})
-}
-
-func (s *BaseServer) AccessLogsManager() accesslogs.Manager {
-	return Create(s, func() accesslogs.Manager {
-		accessLogManager := accesslogsmanager.NewManager(s.Store(), s.PermissionsManager(), s.GeoLocationManager())
-		return accessLogManager
-	})
-}
-
 func loadTLSConfig(certFile string, certKey string) (*tls.Config, error) {
 	// Load server's certificate and private key
 	serverCert, err := tls.LoadX509KeyPair(certFile, certKey)
--- a/management/internals/server/config/config.go
+++ b/management/internals/server/config/config.go
@@ -100,8 +100,6 @@ type HttpServerConfig struct {
 	CertFile string
 	// CertKey is the location of the certificate private key
 	CertKey string
-	// AuthClientID is the client id used for proxy SSO auth
-	AuthClientID string
 	// AuthAudience identifies the recipients that the JWT is intended for (aud in JWT)
 	AuthAudience string
 	// CLIAuthAudience identifies the client app recipients that the JWT is intended for (aud in JWT)
@@ -119,8 +117,6 @@ type HttpServerConfig struct {
 	IdpSignKeyRefreshEnabled bool
 	// Extra audience
 	ExtraAuthAudience string
-	// AuthCallbackDomain contains the callback domain
-	AuthCallbackURL string
 }

 // Host represents a Netbird host (e.g. STUN, TURN, Signal)
--- a/management/internals/server/modules.go
+++ b/management/internals/server/modules.go
@@ -8,9 +8,6 @@ import (

 	"github.com/netbirdio/management-integrations/integrations"
 	"github.com/netbirdio/netbird/management/internals/modules/peers"
-	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
-	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/domain"
-	nbreverseproxy "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/manager"
 	"github.com/netbirdio/netbird/management/internals/modules/zones"
 	zonesManager "github.com/netbirdio/netbird/management/internals/modules/zones/manager"
 	"github.com/netbirdio/netbird/management/internals/modules/zones/records"
@@ -72,14 +69,7 @@ func (s *BaseServer) UsersManager() users.Manager {
 func (s *BaseServer) SettingsManager() settings.Manager {
 	return Create(s, func() settings.Manager {
 		extraSettingsManager := integrations.NewManager(s.EventStore())
-
-		idpConfig := settings.IdpConfig{}
-		if s.Config.EmbeddedIdP != nil && s.Config.EmbeddedIdP.Enabled {
-			idpConfig.EmbeddedIdpEnabled = true
-			idpConfig.LocalAuthDisabled = s.Config.EmbeddedIdP.LocalAuthDisabled
-		}
-
-		return settings.NewManager(s.Store(), s.UsersManager(), extraSettingsManager, s.PermissionsManager(), idpConfig)
+		return settings.NewManager(s.Store(), s.UsersManager(), extraSettingsManager, s.PermissionsManager())
 	})
 }

@@ -101,11 +91,6 @@ func (s *BaseServer) AccountManager() account.Manager {
 		if err != nil {
 			log.Fatalf("failed to create account manager: %v", err)
 		}
-
-		s.AfterInit(func(s *BaseServer) {
-			accountManager.SetServiceManager(s.ReverseProxyManager())
-		})
-
 		return accountManager
 	})
 }
@@ -162,7 +147,7 @@ func (s *BaseServer) GroupsManager() groups.Manager {

 func (s *BaseServer) ResourcesManager() resources.Manager {
 	return Create(s, func() resources.Manager {
-		return resources.NewManager(s.Store(), s.PermissionsManager(), s.GroupsManager(), s.AccountManager(), s.ReverseProxyManager())
+		return resources.NewManager(s.Store(), s.PermissionsManager(), s.GroupsManager(), s.AccountManager())
 	})
 }

@@ -189,16 +174,3 @@ func (s *BaseServer) RecordsManager() records.Manager {
 		return recordsManager.NewManager(s.Store(), s.AccountManager(), s.PermissionsManager())
 	})
 }
-
-func (s *BaseServer) ReverseProxyManager() reverseproxy.Manager {
-	return Create(s, func() reverseproxy.Manager {
-		return nbreverseproxy.NewManager(s.Store(), s.AccountManager(), s.PermissionsManager(), s.ReverseProxyGRPCServer(), s.ProxyTokenStore(), s.ReverseProxyDomainManager())
-	})
-}
-
-func (s *BaseServer) ReverseProxyDomainManager() *domain.Manager {
-	return Create(s, func() *domain.Manager {
-		m := domain.NewManager(s.Store(), s.ReverseProxyGRPCServer())
-		return &m
-	})
-}
--- a/management/internals/server/server.go
+++ b/management/internals/server/server.go
@@ -11,6 +11,7 @@ import (
 	"time"

 	"github.com/google/uuid"
+	"github.com/netbirdio/netbird/management/server/idp"
 	log "github.com/sirupsen/logrus"
 	"go.opentelemetry.io/otel/metric"
 	"golang.org/x/crypto/acme/autocert"
@@ -20,7 +21,6 @@ import (

 	"github.com/netbirdio/netbird/encryption"
 	nbconfig "github.com/netbirdio/netbird/management/internals/server/config"
-	"github.com/netbirdio/netbird/management/server/idp"
 	"github.com/netbirdio/netbird/management/server/metrics"
 	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/util/wsproxy"
@@ -58,8 +58,6 @@ type BaseServer struct {
 	mgmtMetricsPort          int
 	mgmtPort                 int

-	proxyAuthClose func()
-
 	listener    net.Listener
 	certManager *autocert.Manager
 	update      *version.Update
@@ -217,10 +215,6 @@ func (s *BaseServer) Stop() error {
 		_ = s.certManager.Listener().Close()
 	}
 	s.GRPCServer().Stop()
-	if s.proxyAuthClose != nil {
-		s.proxyAuthClose()
-		s.proxyAuthClose = nil
-	}
 	_ = s.Store().Close(ctx)
 	_ = s.EventStore().Close(ctx)
 	if s.update != nil {
--- a/management/internals/shared/grpc/onetime_token.go
+++ b/management/internals/shared/grpc/onetime_token.go
@@ -1,167 +0,0 @@
-package grpc
-
-import (
-	"crypto/rand"
-	"crypto/subtle"
-	"encoding/base64"
-	"fmt"
-	"sync"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-)
-
-// OneTimeTokenStore manages short-lived, single-use authentication tokens
-// for proxy-to-management RPC authentication. Tokens are generated when
-// a service is created and must be used exactly once by the proxy
-// to authenticate a subsequent RPC call.
-type OneTimeTokenStore struct {
-	tokens      map[string]*tokenMetadata
-	mu          sync.RWMutex
-	cleanup     *time.Ticker
-	cleanupDone chan struct{}
-}
-
-// tokenMetadata stores information about a one-time token
-type tokenMetadata struct {
-	ServiceID string
-	AccountID string
-	ExpiresAt time.Time
-	CreatedAt time.Time
-}
-
-// NewOneTimeTokenStore creates a new token store with automatic cleanup
-// of expired tokens. The cleanupInterval determines how often expired
-// tokens are removed from memory.
-func NewOneTimeTokenStore(cleanupInterval time.Duration) *OneTimeTokenStore {
-	store := &OneTimeTokenStore{
-		tokens:      make(map[string]*tokenMetadata),
-		cleanup:     time.NewTicker(cleanupInterval),
-		cleanupDone: make(chan struct{}),
-	}
-
-	// Start background cleanup goroutine
-	go store.cleanupExpired()
-
-	return store
-}
-
-// GenerateToken creates a new cryptographically secure one-time token
-// with the specified TTL. The token is associated with a specific
-// accountID and serviceID for validation purposes.
-//
-// Returns the generated token string or an error if random generation fails.
-func (s *OneTimeTokenStore) GenerateToken(accountID, serviceID string, ttl time.Duration) (string, error) {
-	// Generate 32 bytes (256 bits) of cryptographically secure random data
-	randomBytes := make([]byte, 32)
-	if _, err := rand.Read(randomBytes); err != nil {
-		return "", fmt.Errorf("failed to generate random token: %w", err)
-	}
-
-	// Encode as URL-safe base64 for easy transmission in gRPC
-	token := base64.URLEncoding.EncodeToString(randomBytes)
-
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
-	s.tokens[token] = &tokenMetadata{
-		ServiceID: serviceID,
-		AccountID: accountID,
-		ExpiresAt: time.Now().Add(ttl),
-		CreatedAt: time.Now(),
-	}
-
-	log.Debugf("Generated one-time token for proxy %s in account %s (expires in %s)",
-		serviceID, accountID, ttl)
-
-	return token, nil
-}
-
-// ValidateAndConsume verifies the token against the provided accountID and
-// serviceID, checks expiration, and then deletes it to enforce single-use.
-//
-// This method uses constant-time comparison to prevent timing attacks.
-//
-// Returns nil on success, or an error if:
-// - Token doesn't exist
-// - Token has expired
-// - Account ID doesn't match
-// - Reverse proxy ID doesn't match
-func (s *OneTimeTokenStore) ValidateAndConsume(token, accountID, serviceID string) error {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
-	metadata, exists := s.tokens[token]
-	if !exists {
-		log.Warnf("Token validation failed: token not found (proxy: %s, account: %s)",
-			serviceID, accountID)
-		return fmt.Errorf("invalid token")
-	}
-
-	// Check expiration
-	if time.Now().After(metadata.ExpiresAt) {
-		delete(s.tokens, token)
-		log.Warnf("Token validation failed: token expired (proxy: %s, account: %s)",
-			serviceID, accountID)
-		return fmt.Errorf("token expired")
-	}
-
-	// Validate account ID using constant-time comparison (prevents timing attacks)
-	if subtle.ConstantTimeCompare([]byte(metadata.AccountID), []byte(accountID)) != 1 {
-		log.Warnf("Token validation failed: account ID mismatch (expected: %s, got: %s)",
-			metadata.AccountID, accountID)
-		return fmt.Errorf("account ID mismatch")
-	}
-
-	// Validate service ID using constant-time comparison
-	if subtle.ConstantTimeCompare([]byte(metadata.ServiceID), []byte(serviceID)) != 1 {
-		log.Warnf("Token validation failed: service ID mismatch (expected: %s, got: %s)",
-			metadata.ServiceID, serviceID)
-		return fmt.Errorf("service ID mismatch")
-	}
-
-	// Delete token immediately to enforce single-use
-	delete(s.tokens, token)
-
-	log.Infof("Token validated and consumed for proxy %s in account %s",
-		serviceID, accountID)
-
-	return nil
-}
-
-// cleanupExpired removes expired tokens in the background to prevent memory leaks
-func (s *OneTimeTokenStore) cleanupExpired() {
-	for {
-		select {
-		case <-s.cleanup.C:
-			s.mu.Lock()
-			now := time.Now()
-			removed := 0
-			for token, metadata := range s.tokens {
-				if now.After(metadata.ExpiresAt) {
-					delete(s.tokens, token)
-					removed++
-				}
-			}
-			if removed > 0 {
-				log.Debugf("Cleaned up %d expired one-time tokens", removed)
-			}
-			s.mu.Unlock()
-		case <-s.cleanupDone:
-			return
-		}
-	}
-}
-
-// Close stops the cleanup goroutine and releases resources
-func (s *OneTimeTokenStore) Close() {
-	s.cleanup.Stop()
-	close(s.cleanupDone)
-}
-
-// GetTokenCount returns the current number of tokens in the store (for debugging/metrics)
-func (s *OneTimeTokenStore) GetTokenCount() int {
-	s.mu.RLock()
-	defer s.mu.RUnlock()
-	return len(s.tokens)
-}
--- a/management/internals/shared/grpc/proxy.go
+++ b/management/internals/shared/grpc/proxy.go
@@ -1,956 +0,0 @@
-package grpc
-
-import (
-	"context"
-	"crypto/hmac"
-	"crypto/sha256"
-	"encoding/base64"
-	"encoding/hex"
-	"errors"
-	"fmt"
-	"net"
-	"net/url"
-	"strings"
-	"sync"
-	"time"
-
-	"github.com/coreos/go-oidc/v3/oidc"
-	log "github.com/sirupsen/logrus"
-	"golang.org/x/oauth2"
-	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/peer"
-	"google.golang.org/grpc/status"
-
-	"github.com/netbirdio/netbird/management/internals/modules/peers"
-	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
-	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs"
-	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/sessionkey"
-	"github.com/netbirdio/netbird/management/server/types"
-	"github.com/netbirdio/netbird/management/server/users"
-	proxyauth "github.com/netbirdio/netbird/proxy/auth"
-	"github.com/netbirdio/netbird/shared/hash/argon2id"
-	"github.com/netbirdio/netbird/shared/management/proto"
-)
-
-type ProxyOIDCConfig struct {
-	Issuer      string
-	ClientID    string
-	Scopes      []string
-	CallbackURL string
-	HMACKey     []byte
-
-	Audience     string
-	KeysLocation string
-}
-
-// ClusterInfo contains information about a proxy cluster.
-type ClusterInfo struct {
-	Address          string
-	ConnectedProxies int
-}
-
-// ProxyServiceServer implements the ProxyService gRPC server
-type ProxyServiceServer struct {
-	proto.UnimplementedProxyServiceServer
-
-	// Map of connected proxies: proxy_id -> proxy connection
-	connectedProxies sync.Map
-
-	// Map of cluster address -> set of proxy IDs
-	clusterProxies sync.Map
-
-	// Channel for broadcasting reverse proxy updates to all proxies
-	updatesChan chan *proto.ProxyMapping
-
-	// Manager for access logs
-	accessLogManager accesslogs.Manager
-
-	// Manager for reverse proxy operations
-	reverseProxyManager reverseproxy.Manager
-
-	// Manager for peers
-	peersManager peers.Manager
-
-	// Manager for users
-	usersManager users.Manager
-
-	// Store for one-time authentication tokens
-	tokenStore *OneTimeTokenStore
-
-	// OIDC configuration for proxy authentication
-	oidcConfig ProxyOIDCConfig
-
-	// TODO: use database to store these instead?
-	pkceVerifiers sync.Map
-}
-
-// proxyConnection represents a connected proxy
-type proxyConnection struct {
-	proxyID  string
-	address  string
-	stream   proto.ProxyService_GetMappingUpdateServer
-	sendChan chan *proto.ProxyMapping
-	ctx      context.Context
-	cancel   context.CancelFunc
-	mu       sync.RWMutex
-}
-
-// NewProxyServiceServer creates a new proxy service server.
-func NewProxyServiceServer(accessLogMgr accesslogs.Manager, tokenStore *OneTimeTokenStore, oidcConfig ProxyOIDCConfig, peersManager peers.Manager, usersManager users.Manager) *ProxyServiceServer {
-	return &ProxyServiceServer{
-		updatesChan:      make(chan *proto.ProxyMapping, 100),
-		accessLogManager: accessLogMgr,
-		oidcConfig:       oidcConfig,
-		tokenStore:       tokenStore,
-		peersManager:     peersManager,
-		usersManager:     usersManager,
-	}
-}
-
-func (s *ProxyServiceServer) SetProxyManager(manager reverseproxy.Manager) {
-	s.reverseProxyManager = manager
-}
-
-// GetMappingUpdate handles the control stream with proxy clients
-func (s *ProxyServiceServer) GetMappingUpdate(req *proto.GetMappingUpdateRequest, stream proto.ProxyService_GetMappingUpdateServer) error {
-	ctx := stream.Context()
-
-	peerInfo := ""
-	if p, ok := peer.FromContext(ctx); ok {
-		peerInfo = p.Addr.String()
-	}
-
-	log.Infof("New proxy connection from %s", peerInfo)
-
-	proxyID := req.GetProxyId()
-	if proxyID == "" {
-		return status.Errorf(codes.InvalidArgument, "proxy_id is required")
-	}
-
-	proxyAddress := req.GetAddress()
-	log.WithFields(log.Fields{
-		"proxy_id": proxyID,
-		"address":  proxyAddress,
-		"version":  req.GetVersion(),
-		"started":  req.GetStartedAt().AsTime(),
-	}).Info("Proxy connected")
-
-	connCtx, cancel := context.WithCancel(ctx)
-	conn := &proxyConnection{
-		proxyID:  proxyID,
-		address:  proxyAddress,
-		stream:   stream,
-		sendChan: make(chan *proto.ProxyMapping, 100),
-		ctx:      connCtx,
-		cancel:   cancel,
-	}
-
-	s.connectedProxies.Store(proxyID, conn)
-	s.addToCluster(conn.address, proxyID)
-	log.WithFields(log.Fields{
-		"proxy_id":      proxyID,
-		"address":       proxyAddress,
-		"cluster_addr":  extractClusterAddr(proxyAddress),
-		"total_proxies": len(s.GetConnectedProxies()),
-	}).Info("Proxy registered in cluster")
-	defer func() {
-		s.connectedProxies.Delete(proxyID)
-		s.removeFromCluster(conn.address, proxyID)
-		cancel()
-		log.Infof("Proxy %s disconnected", proxyID)
-	}()
-
-	if err := s.sendSnapshot(ctx, conn); err != nil {
-		log.Errorf("Failed to send snapshot to proxy %s: %v", proxyID, err)
-		return err
-	}
-
-	errChan := make(chan error, 2)
-	go s.sender(conn, errChan)
-
-	select {
-	case err := <-errChan:
-		return err
-	case <-connCtx.Done():
-		return connCtx.Err()
-	}
-}
-
-// sendSnapshot sends the initial snapshot of services to the connecting proxy.
-// Only services matching the proxy's cluster address are sent.
-func (s *ProxyServiceServer) sendSnapshot(ctx context.Context, conn *proxyConnection) error {
-	services, err := s.reverseProxyManager.GetGlobalServices(ctx)
-	if err != nil {
-		return fmt.Errorf("get services from store: %w", err)
-	}
-
-	proxyClusterAddr := extractClusterAddr(conn.address)
-
-	for _, service := range services {
-		if !service.Enabled {
-			continue
-		}
-
-		if service.ProxyCluster != "" && proxyClusterAddr != "" && service.ProxyCluster != proxyClusterAddr {
-			continue
-		}
-
-		// Generate one-time authentication token for each service in the snapshot
-		// Tokens are not persistent on the proxy, so we need to generate new ones on reconnection
-		token, err := s.tokenStore.GenerateToken(service.AccountID, service.ID, 5*time.Minute)
-		if err != nil {
-			log.WithFields(log.Fields{
-				"service": service.Name,
-				"account": service.AccountID,
-			}).WithError(err).Error("Failed to generate auth token for snapshot")
-			continue
-		}
-
-		if err := conn.stream.Send(&proto.GetMappingUpdateResponse{
-			Mapping: []*proto.ProxyMapping{
-				service.ToProtoMapping(
-					reverseproxy.Create, // Initial snapshot, all records are "new" for the proxy.
-					token,
-					s.GetOIDCValidationConfig(),
-				),
-			},
-		}); err != nil {
-			log.WithError(err).Error("Failed to send proxy mapping")
-			continue
-		}
-	}
-
-	return nil
-}
-
-// extractClusterAddr extracts the host from a proxy address URL.
-func extractClusterAddr(addr string) string {
-	if addr == "" {
-		return ""
-	}
-	u, err := url.Parse(addr)
-	if err != nil {
-		return addr
-	}
-	host := u.Host
-	if h, _, err := net.SplitHostPort(host); err == nil {
-		return h
-	}
-	return host
-}
-
-// sender handles sending messages to proxy
-func (s *ProxyServiceServer) sender(conn *proxyConnection, errChan chan<- error) {
-	for {
-		select {
-		case msg := <-conn.sendChan:
-			if err := conn.stream.Send(&proto.GetMappingUpdateResponse{Mapping: []*proto.ProxyMapping{msg}}); err != nil {
-				log.Errorf("Failed to send message to proxy %s: %v", conn.proxyID, err)
-				errChan <- err
-				return
-			}
-		case <-conn.ctx.Done():
-			return
-		}
-	}
-}
-
-// SendAccessLog processes access log from proxy
-func (s *ProxyServiceServer) SendAccessLog(ctx context.Context, req *proto.SendAccessLogRequest) (*proto.SendAccessLogResponse, error) {
-	accessLog := req.GetLog()
-
-	fields := log.Fields{
-		"service_id": accessLog.GetServiceId(),
-		"account_id": accessLog.GetAccountId(),
-		"host":       accessLog.GetHost(),
-		"source_ip":  accessLog.GetSourceIp(),
-	}
-	if mechanism := accessLog.GetAuthMechanism(); mechanism != "" {
-		fields["auth_mechanism"] = mechanism
-	}
-	if userID := accessLog.GetUserId(); userID != "" {
-		fields["user_id"] = userID
-	}
-	if !accessLog.GetAuthSuccess() {
-		fields["auth_success"] = false
-	}
-	log.WithFields(fields).Debugf("%s %s %d (%dms)",
-		accessLog.GetMethod(),
-		accessLog.GetPath(),
-		accessLog.GetResponseCode(),
-		accessLog.GetDurationMs(),
-	)
-
-	logEntry := &accesslogs.AccessLogEntry{}
-	logEntry.FromProto(accessLog)
-
-	if err := s.accessLogManager.SaveAccessLog(ctx, logEntry); err != nil {
-		log.WithContext(ctx).Errorf("failed to save access log: %v", err)
-		return nil, status.Errorf(codes.Internal, "failed to save access log: %v", err)
-	}
-
-	return &proto.SendAccessLogResponse{}, nil
-}
-
-// SendServiceUpdate broadcasts a service update to all connected proxy servers.
-// Management should call this when services are created/updated/removed
-func (s *ProxyServiceServer) SendServiceUpdate(update *proto.ProxyMapping) {
-	// Send it to all connected proxy servers
-	log.Debugf("Broadcasting service update to all connected proxy servers")
-	s.connectedProxies.Range(func(key, value interface{}) bool {
-		conn := value.(*proxyConnection)
-		select {
-		case conn.sendChan <- update:
-			log.Debugf("Sent service update with id %s to proxy server %s", update.Id, conn.proxyID)
-		default:
-			log.Warnf("Failed to send service update to proxy server %s (channel full)", conn.proxyID)
-		}
-		return true
-	})
-}
-
-// GetConnectedProxies returns a list of connected proxy IDs
-func (s *ProxyServiceServer) GetConnectedProxies() []string {
-	var proxies []string
-	s.connectedProxies.Range(func(key, value interface{}) bool {
-		proxies = append(proxies, key.(string))
-		return true
-	})
-	return proxies
-}
-
-// GetConnectedProxyURLs returns a deduplicated list of URLs from all connected proxies.
-func (s *ProxyServiceServer) GetConnectedProxyURLs() []string {
-	seenUrls := make(map[string]struct{})
-	var urls []string
-	var proxyCount int
-	s.connectedProxies.Range(func(key, value interface{}) bool {
-		proxyCount++
-		conn := value.(*proxyConnection)
-		log.WithFields(log.Fields{
-			"proxy_id": conn.proxyID,
-			"address":  conn.address,
-		}).Debug("checking connected proxy for URL")
-		if _, seen := seenUrls[conn.address]; conn.address != "" && !seen {
-			seenUrls[conn.address] = struct{}{}
-			urls = append(urls, conn.address)
-		}
-		return true
-	})
-	log.WithFields(log.Fields{
-		"total_proxies":  proxyCount,
-		"unique_urls":    len(urls),
-		"connected_urls": urls,
-	}).Debug("GetConnectedProxyURLs result")
-	return urls
-}
-
-// addToCluster registers a proxy in a cluster.
-func (s *ProxyServiceServer) addToCluster(clusterAddr, proxyID string) {
-	if clusterAddr == "" {
-		return
-	}
-	proxySet, _ := s.clusterProxies.LoadOrStore(clusterAddr, &sync.Map{})
-	proxySet.(*sync.Map).Store(proxyID, struct{}{})
-	log.Debugf("Added proxy %s to cluster %s", proxyID, clusterAddr)
-}
-
-// removeFromCluster removes a proxy from a cluster.
-func (s *ProxyServiceServer) removeFromCluster(clusterAddr, proxyID string) {
-	if clusterAddr == "" {
-		return
-	}
-	if proxySet, ok := s.clusterProxies.Load(clusterAddr); ok {
-		proxySet.(*sync.Map).Delete(proxyID)
-		log.Debugf("Removed proxy %s from cluster %s", proxyID, clusterAddr)
-	}
-}
-
-// SendServiceUpdateToCluster sends a service update to all proxy servers in a specific cluster.
-// If clusterAddr is empty, broadcasts to all connected proxy servers (backward compatibility).
-func (s *ProxyServiceServer) SendServiceUpdateToCluster(update *proto.ProxyMapping, clusterAddr string) {
-	if clusterAddr == "" {
-		s.SendServiceUpdate(update)
-		return
-	}
-
-	proxySet, ok := s.clusterProxies.Load(clusterAddr)
-	if !ok {
-		log.Debugf("No proxies connected for cluster %s", clusterAddr)
-		return
-	}
-
-	log.Debugf("Sending service update to cluster %s", clusterAddr)
-	proxySet.(*sync.Map).Range(func(key, _ interface{}) bool {
-		proxyID := key.(string)
-		if connVal, ok := s.connectedProxies.Load(proxyID); ok {
-			conn := connVal.(*proxyConnection)
-			select {
-			case conn.sendChan <- update:
-				log.Debugf("Sent service update with id %s to proxy %s in cluster %s", update.Id, proxyID, clusterAddr)
-			default:
-				log.Warnf("Failed to send service update to proxy %s in cluster %s (channel full)", proxyID, clusterAddr)
-			}
-		}
-		return true
-	})
-}
-
-// GetAvailableClusters returns information about all connected proxy clusters.
-func (s *ProxyServiceServer) GetAvailableClusters() []ClusterInfo {
-	clusterCounts := make(map[string]int)
-	s.clusterProxies.Range(func(key, value interface{}) bool {
-		clusterAddr := key.(string)
-		proxySet := value.(*sync.Map)
-		count := 0
-		proxySet.Range(func(_, _ interface{}) bool {
-			count++
-			return true
-		})
-		if count > 0 {
-			clusterCounts[clusterAddr] = count
-		}
-		return true
-	})
-
-	clusters := make([]ClusterInfo, 0, len(clusterCounts))
-	for addr, count := range clusterCounts {
-		clusters = append(clusters, ClusterInfo{
-			Address:          addr,
-			ConnectedProxies: count,
-		})
-	}
-	return clusters
-}
-
-func (s *ProxyServiceServer) Authenticate(ctx context.Context, req *proto.AuthenticateRequest) (*proto.AuthenticateResponse, error) {
-	service, err := s.reverseProxyManager.GetServiceByID(ctx, req.GetAccountId(), req.GetId())
-	if err != nil {
-		// TODO: log the error
-		return nil, status.Errorf(codes.FailedPrecondition, "failed to get service from store: %v", err)
-	}
-
-	var authenticated bool
-	var userId string
-	var method proxyauth.Method
-	switch v := req.GetRequest().(type) {
-	case *proto.AuthenticateRequest_Pin:
-		auth := service.Auth.PinAuth
-		if auth == nil || !auth.Enabled {
-			// TODO: log
-			// Break here and use the default authenticated == false.
-			break
-		}
-		err = argon2id.Verify(v.Pin.GetPin(), auth.Pin)
-		if err != nil {
-			if errors.Is(err, argon2id.ErrMismatchedHashAndPassword) {
-				log.WithContext(ctx).Tracef("PIN authentication failed: invalid PIN")
-			} else {
-				log.WithContext(ctx).Errorf("PIN authentication error: %v", err)
-			}
-			break
-		}
-		authenticated = true
-		userId = "pin-user"
-		method = proxyauth.MethodPIN
-	case *proto.AuthenticateRequest_Password:
-		auth := service.Auth.PasswordAuth
-		if auth == nil || !auth.Enabled {
-			// TODO: log
-			// Break here and use the default authenticated == false.
-			break
-		}
-		err = argon2id.Verify(v.Password.GetPassword(), auth.Password)
-		if err != nil {
-			if errors.Is(err, argon2id.ErrMismatchedHashAndPassword) {
-				log.WithContext(ctx).Tracef("Password authentication failed: invalid password")
-			} else {
-				log.WithContext(ctx).Errorf("Password authentication error: %v", err)
-			}
-			break
-		}
-		authenticated = true
-		userId = "password-user"
-		method = proxyauth.MethodPassword
-	}
-
-	var token string
-	if authenticated && service.SessionPrivateKey != "" {
-		token, err = sessionkey.SignToken(
-			service.SessionPrivateKey,
-			userId,
-			service.Domain,
-			method,
-			proxyauth.DefaultSessionExpiry,
-		)
-		if err != nil {
-			log.WithError(err).Error("Failed to sign session token")
-			authenticated = false
-		}
-	}
-
-	return &proto.AuthenticateResponse{
-		Success:      authenticated,
-		SessionToken: token,
-	}, nil
-}
-
-// SendStatusUpdate handles status updates from proxy clients
-func (s *ProxyServiceServer) SendStatusUpdate(ctx context.Context, req *proto.SendStatusUpdateRequest) (*proto.SendStatusUpdateResponse, error) {
-	accountID := req.GetAccountId()
-	serviceID := req.GetServiceId()
-	protoStatus := req.GetStatus()
-	certificateIssued := req.GetCertificateIssued()
-
-	log.WithFields(log.Fields{
-		"service_id":         serviceID,
-		"account_id":         accountID,
-		"status":             protoStatus,
-		"certificate_issued": certificateIssued,
-		"error_message":      req.GetErrorMessage(),
-	}).Debug("Status update from proxy server")
-
-	if serviceID == "" || accountID == "" {
-		return nil, status.Errorf(codes.InvalidArgument, "service_id and account_id are required")
-	}
-
-	if certificateIssued {
-		if err := s.reverseProxyManager.SetCertificateIssuedAt(ctx, accountID, serviceID); err != nil {
-			log.WithContext(ctx).WithError(err).Error("Failed to set certificate issued timestamp")
-			return nil, status.Errorf(codes.Internal, "failed to update certificate timestamp: %v", err)
-		}
-		log.WithFields(log.Fields{
-			"service_id": serviceID,
-			"account_id": accountID,
-		}).Info("Certificate issued timestamp updated")
-	}
-
-	internalStatus := protoStatusToInternal(protoStatus)
-
-	if err := s.reverseProxyManager.SetStatus(ctx, accountID, serviceID, internalStatus); err != nil {
-		log.WithContext(ctx).WithError(err).Error("Failed to set service status")
-		return nil, status.Errorf(codes.Internal, "failed to update service status: %v", err)
-	}
-
-	log.WithFields(log.Fields{
-		"service_id": serviceID,
-		"account_id": accountID,
-		"status":     internalStatus,
-	}).Info("Service status updated")
-
-	return &proto.SendStatusUpdateResponse{}, nil
-}
-
-// protoStatusToInternal maps proto status to internal status
-func protoStatusToInternal(protoStatus proto.ProxyStatus) reverseproxy.ProxyStatus {
-	switch protoStatus {
-	case proto.ProxyStatus_PROXY_STATUS_PENDING:
-		return reverseproxy.StatusPending
-	case proto.ProxyStatus_PROXY_STATUS_ACTIVE:
-		return reverseproxy.StatusActive
-	case proto.ProxyStatus_PROXY_STATUS_TUNNEL_NOT_CREATED:
-		return reverseproxy.StatusTunnelNotCreated
-	case proto.ProxyStatus_PROXY_STATUS_CERTIFICATE_PENDING:
-		return reverseproxy.StatusCertificatePending
-	case proto.ProxyStatus_PROXY_STATUS_CERTIFICATE_FAILED:
-		return reverseproxy.StatusCertificateFailed
-	case proto.ProxyStatus_PROXY_STATUS_ERROR:
-		return reverseproxy.StatusError
-	default:
-		return reverseproxy.StatusError
-	}
-}
-
-// CreateProxyPeer handles proxy peer creation with one-time token authentication
-func (s *ProxyServiceServer) CreateProxyPeer(ctx context.Context, req *proto.CreateProxyPeerRequest) (*proto.CreateProxyPeerResponse, error) {
-	serviceID := req.GetServiceId()
-	accountID := req.GetAccountId()
-	token := req.GetToken()
-	cluster := req.GetCluster()
-	key := req.WireguardPublicKey
-
-	log.WithFields(log.Fields{
-		"service_id": serviceID,
-		"account_id": accountID,
-		"cluster":    cluster,
-	}).Debug("CreateProxyPeer request received")
-
-	if serviceID == "" || accountID == "" || token == "" {
-		log.Warn("CreateProxyPeer: missing required fields")
-		return &proto.CreateProxyPeerResponse{
-			Success:      false,
-			ErrorMessage: strPtr("missing required fields: service_id, account_id, and token are required"),
-		}, nil
-	}
-
-	if err := s.tokenStore.ValidateAndConsume(token, accountID, serviceID); err != nil {
-		log.WithFields(log.Fields{
-			"service_id": serviceID,
-			"account_id": accountID,
-		}).WithError(err).Warn("CreateProxyPeer: token validation failed")
-		return &proto.CreateProxyPeerResponse{
-			Success:      false,
-			ErrorMessage: strPtr("authentication failed: invalid or expired token"),
-		}, status.Errorf(codes.Unauthenticated, "token validation failed: %v", err)
-	}
-
-	err := s.peersManager.CreateProxyPeer(ctx, accountID, key, cluster)
-	if err != nil {
-		log.WithFields(log.Fields{
-			"service_id": serviceID,
-			"account_id": accountID,
-		}).WithError(err).Error("CreateProxyPeer: failed to create proxy peer")
-		return &proto.CreateProxyPeerResponse{
-			Success:      false,
-			ErrorMessage: strPtr(fmt.Sprintf("failed to create proxy peer: %v", err)),
-		}, status.Errorf(codes.Internal, "failed to create proxy peer: %v", err)
-	}
-
-	return &proto.CreateProxyPeerResponse{
-		Success: true,
-	}, nil
-}
-
-// strPtr is a helper to create a string pointer for optional proto fields
-func strPtr(s string) *string {
-	return &s
-}
-
-func (s *ProxyServiceServer) GetOIDCURL(ctx context.Context, req *proto.GetOIDCURLRequest) (*proto.GetOIDCURLResponse, error) {
-	redirectURL, err := url.Parse(req.GetRedirectUrl())
-	if err != nil {
-		// TODO: log
-		return nil, status.Errorf(codes.InvalidArgument, "failed to parse redirect url: %v", err)
-	}
-	// Validate redirectURL against known service endpoints to avoid abuse of OIDC redirection.
-	services, err := s.reverseProxyManager.GetAccountServices(ctx, req.GetAccountId())
-	if err != nil {
-		// TODO: log
-		return nil, status.Errorf(codes.FailedPrecondition, "failed to get services from store: %v", err)
-	}
-	var found bool
-	for _, service := range services {
-		if service.Domain == redirectURL.Hostname() {
-			found = true
-			break
-		}
-	}
-	if !found {
-		// TODO: log
-		return nil, status.Errorf(codes.FailedPrecondition, "service not found in store")
-	}
-
-	provider, err := oidc.NewProvider(ctx, s.oidcConfig.Issuer)
-	if err != nil {
-		// TODO: log
-		return nil, status.Errorf(codes.FailedPrecondition, "failed to create OIDC provider: %v", err)
-	}
-
-	scopes := s.oidcConfig.Scopes
-	if len(scopes) == 0 {
-		scopes = []string{oidc.ScopeOpenID, "profile", "email"}
-	}
-
-	// Using an HMAC here to avoid redirection state being modified.
-	// State format: base64(redirectURL)|hmac
-	hmacSum := s.generateHMAC(redirectURL.String())
-	state := fmt.Sprintf("%s|%s", base64.URLEncoding.EncodeToString([]byte(redirectURL.String())), hmacSum)
-
-	codeVerifier := oauth2.GenerateVerifier()
-	s.pkceVerifiers.Store(state, codeVerifier)
-
-	return &proto.GetOIDCURLResponse{
-		Url: (&oauth2.Config{
-			ClientID:    s.oidcConfig.ClientID,
-			Endpoint:    provider.Endpoint(),
-			RedirectURL: s.oidcConfig.CallbackURL,
-			Scopes:      scopes,
-		}).AuthCodeURL(state, oauth2.S256ChallengeOption(codeVerifier)),
-	}, nil
-}
-
-// GetOIDCConfig returns the OIDC configuration for token validation.
-func (s *ProxyServiceServer) GetOIDCConfig() ProxyOIDCConfig {
-	return s.oidcConfig
-}
-
-// GetOIDCValidationConfig returns the OIDC configuration for token validation
-// in the format needed by ToProtoMapping.
-func (s *ProxyServiceServer) GetOIDCValidationConfig() reverseproxy.OIDCValidationConfig {
-	return reverseproxy.OIDCValidationConfig{
-		Issuer:             s.oidcConfig.Issuer,
-		Audiences:          []string{s.oidcConfig.Audience},
-		KeysLocation:       s.oidcConfig.KeysLocation,
-		MaxTokenAgeSeconds: 0, // No max token age by default
-	}
-}
-
-func (s *ProxyServiceServer) generateHMAC(input string) string {
-	mac := hmac.New(sha256.New, s.oidcConfig.HMACKey)
-	mac.Write([]byte(input))
-	return hex.EncodeToString(mac.Sum(nil))
-}
-
-// ValidateState validates the state parameter from an OAuth callback.
-// Returns the original redirect URL if valid, or an error if invalid.
-func (s *ProxyServiceServer) ValidateState(state string) (verifier, redirectURL string, err error) {
-	v, ok := s.pkceVerifiers.LoadAndDelete(state)
-	if !ok {
-		return "", "", errors.New("no verifier for state")
-	}
-	verifier, ok = v.(string)
-	if !ok {
-		return "", "", errors.New("invalid verifier for state")
-	}
-
-	parts := strings.Split(state, "|")
-	if len(parts) != 2 {
-		return "", "", errors.New("invalid state format")
-	}
-
-	encodedURL := parts[0]
-	providedHMAC := parts[1]
-
-	redirectURLBytes, err := base64.URLEncoding.DecodeString(encodedURL)
-	if err != nil {
-		return "", "", fmt.Errorf("invalid state encoding: %w", err)
-	}
-	redirectURL = string(redirectURLBytes)
-
-	expectedHMAC := s.generateHMAC(redirectURL)
-
-	if !hmac.Equal([]byte(providedHMAC), []byte(expectedHMAC)) {
-		return "", "", fmt.Errorf("invalid state signature")
-	}
-
-	return verifier, redirectURL, nil
-}
-
-// GenerateSessionToken creates a signed session JWT for the given domain and user.
-func (s *ProxyServiceServer) GenerateSessionToken(ctx context.Context, domain, userID string, method proxyauth.Method) (string, error) {
-	// Find the service by domain to get its signing key
-	services, err := s.reverseProxyManager.GetGlobalServices(ctx)
-	if err != nil {
-		return "", fmt.Errorf("get services: %w", err)
-	}
-
-	var service *reverseproxy.Service
-	for _, svc := range services {
-		if svc.Domain == domain {
-			service = svc
-			break
-		}
-	}
-	if service == nil {
-		return "", fmt.Errorf("service not found for domain: %s", domain)
-	}
-
-	if service.SessionPrivateKey == "" {
-		return "", fmt.Errorf("no session key configured for domain: %s", domain)
-	}
-
-	return sessionkey.SignToken(
-		service.SessionPrivateKey,
-		userID,
-		domain,
-		method,
-		proxyauth.DefaultSessionExpiry,
-	)
-}
-
-// ValidateUserGroupAccess checks if a user has access to a service.
-// It looks up the service within the user's account only, then optionally checks
-// group membership if BearerAuth with DistributionGroups is configured.
-func (s *ProxyServiceServer) ValidateUserGroupAccess(ctx context.Context, domain, userID string) error {
-	user, err := s.usersManager.GetUser(ctx, userID)
-	if err != nil {
-		return fmt.Errorf("user not found: %s", userID)
-	}
-
-	service, err := s.getAccountServiceByDomain(ctx, user.AccountID, domain)
-	if err != nil {
-		return err
-	}
-
-	if service.Auth.BearerAuth == nil || !service.Auth.BearerAuth.Enabled {
-		return nil
-	}
-
-	allowedGroups := service.Auth.BearerAuth.DistributionGroups
-	if len(allowedGroups) == 0 {
-		return nil
-	}
-
-	allowedSet := make(map[string]bool, len(allowedGroups))
-	for _, groupID := range allowedGroups {
-		allowedSet[groupID] = true
-	}
-
-	for _, groupID := range user.AutoGroups {
-		if allowedSet[groupID] {
-			log.WithFields(log.Fields{
-				"user_id":  user.Id,
-				"group_id": groupID,
-				"domain":   domain,
-			}).Debug("User granted access via group membership")
-			return nil
-		}
-	}
-
-	return fmt.Errorf("user %s not in allowed groups for domain %s", user.Id, domain)
-}
-
-func (s *ProxyServiceServer) getAccountServiceByDomain(ctx context.Context, accountID, domain string) (*reverseproxy.Service, error) {
-	services, err := s.reverseProxyManager.GetAccountServices(ctx, accountID)
-	if err != nil {
-		return nil, fmt.Errorf("get account services: %w", err)
-	}
-
-	for _, service := range services {
-		if service.Domain == domain {
-			return service, nil
-		}
-	}
-
-	return nil, fmt.Errorf("service not found for domain %s in account %s", domain, accountID)
-}
-
-// ValidateSession validates a session token and checks if the user has access to the domain.
-func (s *ProxyServiceServer) ValidateSession(ctx context.Context, req *proto.ValidateSessionRequest) (*proto.ValidateSessionResponse, error) {
-	domain := req.GetDomain()
-	sessionToken := req.GetSessionToken()
-
-	if domain == "" || sessionToken == "" {
-		return &proto.ValidateSessionResponse{
-			Valid:        false,
-			DeniedReason: "missing domain or session_token",
-		}, nil
-	}
-
-	service, err := s.getServiceByDomain(ctx, domain)
-	if err != nil {
-		log.WithFields(log.Fields{
-			"domain": domain,
-			"error":  err.Error(),
-		}).Debug("ValidateSession: service not found")
-		return &proto.ValidateSessionResponse{
-			Valid:        false,
-			DeniedReason: "service_not_found",
-		}, nil
-	}
-
-	pubKeyBytes, err := base64.StdEncoding.DecodeString(service.SessionPublicKey)
-	if err != nil {
-		log.WithFields(log.Fields{
-			"domain": domain,
-			"error":  err.Error(),
-		}).Error("ValidateSession: decode public key")
-		return &proto.ValidateSessionResponse{
-			Valid:        false,
-			DeniedReason: "invalid_service_config",
-		}, nil
-	}
-
-	userID, _, err := proxyauth.ValidateSessionJWT(sessionToken, domain, pubKeyBytes)
-	if err != nil {
-		log.WithFields(log.Fields{
-			"domain": domain,
-			"error":  err.Error(),
-		}).Debug("ValidateSession: invalid session token")
-		return &proto.ValidateSessionResponse{
-			Valid:        false,
-			DeniedReason: "invalid_token",
-		}, nil
-	}
-
-	user, err := s.usersManager.GetUser(ctx, userID)
-	if err != nil {
-		log.WithFields(log.Fields{
-			"domain":  domain,
-			"user_id": userID,
-			"error":   err.Error(),
-		}).Debug("ValidateSession: user not found")
-		return &proto.ValidateSessionResponse{
-			Valid:        false,
-			DeniedReason: "user_not_found",
-		}, nil
-	}
-
-	if user.AccountID != service.AccountID {
-		log.WithFields(log.Fields{
-			"domain":          domain,
-			"user_id":         userID,
-			"user_account":    user.AccountID,
-			"service_account": service.AccountID,
-		}).Debug("ValidateSession: user account mismatch")
-		return &proto.ValidateSessionResponse{
-			Valid:        false,
-			DeniedReason: "account_mismatch",
-		}, nil
-	}
-
-	if err := s.checkGroupAccess(service, user); err != nil {
-		log.WithFields(log.Fields{
-			"domain":  domain,
-			"user_id": userID,
-			"error":   err.Error(),
-		}).Debug("ValidateSession: access denied")
-		return &proto.ValidateSessionResponse{
-			Valid:        false,
-			UserId:       user.Id,
-			UserEmail:    user.Email,
-			DeniedReason: "not_in_group",
-		}, nil
-	}
-
-	log.WithFields(log.Fields{
-		"domain":  domain,
-		"user_id": userID,
-		"email":   user.Email,
-	}).Debug("ValidateSession: access granted")
-
-	return &proto.ValidateSessionResponse{
-		Valid:     true,
-		UserId:    user.Id,
-		UserEmail: user.Email,
-	}, nil
-}
-
-func (s *ProxyServiceServer) getServiceByDomain(ctx context.Context, domain string) (*reverseproxy.Service, error) {
-	services, err := s.reverseProxyManager.GetGlobalServices(ctx)
-	if err != nil {
-		return nil, fmt.Errorf("get services: %w", err)
-	}
-
-	for _, service := range services {
-		if service.Domain == domain {
-			return service, nil
-		}
-	}
-
-	return nil, fmt.Errorf("service not found for domain: %s", domain)
-}
-
-func (s *ProxyServiceServer) checkGroupAccess(service *reverseproxy.Service, user *types.User) error {
-	if service.Auth.BearerAuth == nil || !service.Auth.BearerAuth.Enabled {
-		return nil
-	}
-
-	allowedGroups := service.Auth.BearerAuth.DistributionGroups
-	if len(allowedGroups) == 0 {
-		return nil
-	}
-
-	allowedSet := make(map[string]bool, len(allowedGroups))
-	for _, groupID := range allowedGroups {
-		allowedSet[groupID] = true
-	}
-
-	for _, groupID := range user.AutoGroups {
-		if allowedSet[groupID] {
-			return nil
-		}
-	}
-
-	return fmt.Errorf("user not in allowed groups")
-}
--- a/management/internals/shared/grpc/proxy_auth.go
+++ b/management/internals/shared/grpc/proxy_auth.go
@@ -1,234 +0,0 @@
-package grpc
-
-import (
-	"context"
-	"strings"
-	"sync"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-	"google.golang.org/grpc"
-	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/metadata"
-	"google.golang.org/grpc/status"
-
-	"github.com/netbirdio/netbird/management/server/store"
-	"github.com/netbirdio/netbird/management/server/types"
-)
-
-const (
-	// lastUsedUpdateInterval is the minimum interval between last_used updates for the same token.
-	lastUsedUpdateInterval = time.Minute
-	// lastUsedCleanupInterval is how often stale lastUsed entries are removed.
-	lastUsedCleanupInterval = 2 * time.Minute
-)
-
-type proxyTokenContextKey struct{}
-
-// ProxyTokenContextKey is the typed key used to store validated token info in context.
-var ProxyTokenContextKey = proxyTokenContextKey{}
-
-// proxyTokenID identifies a proxy access token by its database ID.
-type proxyTokenID = string
-
-// proxyTokenStore defines the store interface needed for token validation
-type proxyTokenStore interface {
-	GetProxyAccessTokenByHashedToken(ctx context.Context, lockStrength store.LockingStrength, hashedToken types.HashedProxyToken) (*types.ProxyAccessToken, error)
-	MarkProxyAccessTokenUsed(ctx context.Context, tokenID string) error
-}
-
-// proxyAuthInterceptor holds state for proxy authentication interceptors.
-type proxyAuthInterceptor struct {
-	store          proxyTokenStore
-	failureLimiter *authFailureLimiter
-
-	// lastUsedMu protects lastUsedTimes
-	lastUsedMu    sync.Mutex
-	lastUsedTimes map[proxyTokenID]time.Time
-	cancel        context.CancelFunc
-}
-
-func newProxyAuthInterceptor(tokenStore proxyTokenStore) *proxyAuthInterceptor {
-	ctx, cancel := context.WithCancel(context.Background())
-	i := &proxyAuthInterceptor{
-		store:          tokenStore,
-		failureLimiter: newAuthFailureLimiter(),
-		lastUsedTimes:  make(map[proxyTokenID]time.Time),
-		cancel:         cancel,
-	}
-	go i.lastUsedCleanupLoop(ctx)
-	return i
-}
-
-// NewProxyAuthInterceptors creates gRPC unary and stream interceptors that validate proxy access tokens.
-// They only intercept ProxyService methods. Both interceptors share state for last-used and failure rate limiting.
-// The returned close function must be called on shutdown to stop background goroutines.
-func NewProxyAuthInterceptors(tokenStore proxyTokenStore) (grpc.UnaryServerInterceptor, grpc.StreamServerInterceptor, func()) {
-	interceptor := newProxyAuthInterceptor(tokenStore)
-
-	unary := func(ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (any, error) {
-		if !strings.HasPrefix(info.FullMethod, "/management.ProxyService/") {
-			return handler(ctx, req)
-		}
-
-		token, err := interceptor.validateProxyToken(ctx)
-		if err != nil {
-			// Log auth failures explicitly; gRPC doesn't log these by default.
-			log.WithContext(ctx).Warnf("proxy auth failed: %v", err)
-			return nil, err
-		}
-
-		ctx = context.WithValue(ctx, ProxyTokenContextKey, token)
-		return handler(ctx, req)
-	}
-
-	stream := func(srv any, ss grpc.ServerStream, info *grpc.StreamServerInfo, handler grpc.StreamHandler) error {
-		if !strings.HasPrefix(info.FullMethod, "/management.ProxyService/") {
-			return handler(srv, ss)
-		}
-
-		token, err := interceptor.validateProxyToken(ss.Context())
-		if err != nil {
-			// Log auth failures explicitly; gRPC doesn't log these by default.
-			log.WithContext(ss.Context()).Warnf("proxy auth failed: %v", err)
-			return err
-		}
-
-		ctx := context.WithValue(ss.Context(), ProxyTokenContextKey, token)
-		wrapped := &wrappedServerStream{
-			ServerStream: ss,
-			ctx:          ctx,
-		}
-
-		return handler(srv, wrapped)
-	}
-
-	return unary, stream, interceptor.close
-}
-
-func (i *proxyAuthInterceptor) validateProxyToken(ctx context.Context) (*types.ProxyAccessToken, error) {
-	clientIP := peerIPFromContext(ctx)
-
-	if clientIP != "" && i.failureLimiter.isLimited(clientIP) {
-		return nil, status.Errorf(codes.ResourceExhausted, "too many failed authentication attempts")
-	}
-
-	token, err := i.doValidateProxyToken(ctx)
-	if err != nil {
-		if clientIP != "" {
-			i.failureLimiter.recordFailure(clientIP)
-		}
-		return nil, err
-	}
-
-	i.maybeUpdateLastUsed(ctx, token.ID)
-
-	return token, nil
-}
-
-func (i *proxyAuthInterceptor) doValidateProxyToken(ctx context.Context) (*types.ProxyAccessToken, error) {
-	md, ok := metadata.FromIncomingContext(ctx)
-	if !ok {
-		return nil, status.Errorf(codes.Unauthenticated, "missing metadata")
-	}
-
-	authValues := md.Get("authorization")
-	if len(authValues) == 0 {
-		return nil, status.Errorf(codes.Unauthenticated, "missing authorization header")
-	}
-
-	authValue := authValues[0]
-	if !strings.HasPrefix(authValue, "Bearer ") {
-		return nil, status.Errorf(codes.Unauthenticated, "invalid authorization format")
-	}
-
-	plainToken := types.PlainProxyToken(strings.TrimPrefix(authValue, "Bearer "))
-
-	if err := plainToken.Validate(); err != nil {
-		return nil, status.Errorf(codes.Unauthenticated, "invalid token format")
-	}
-
-	token, err := i.store.GetProxyAccessTokenByHashedToken(ctx, store.LockingStrengthNone, plainToken.Hash())
-	if err != nil {
-		return nil, status.Errorf(codes.Unauthenticated, "invalid token")
-	}
-
-	// TODO: Enforce AccountID scope for "bring your own proxy" feature.
-	// Currently tokens are management-wide; AccountID field is reserved for future use.
-
-	if !token.IsValid() {
-		return nil, status.Errorf(codes.Unauthenticated, "token expired or revoked")
-	}
-
-	return token, nil
-}
-
-// maybeUpdateLastUsed updates the last_used timestamp if enough time has passed since the last update.
-func (i *proxyAuthInterceptor) maybeUpdateLastUsed(ctx context.Context, tokenID string) {
-	now := time.Now()
-
-	i.lastUsedMu.Lock()
-	lastUpdate, exists := i.lastUsedTimes[tokenID]
-	if exists && now.Sub(lastUpdate) < lastUsedUpdateInterval {
-		i.lastUsedMu.Unlock()
-		return
-	}
-	i.lastUsedTimes[tokenID] = now
-	i.lastUsedMu.Unlock()
-
-	if err := i.store.MarkProxyAccessTokenUsed(ctx, tokenID); err != nil {
-		log.WithContext(ctx).Debugf("failed to mark proxy token as used: %v", err)
-	}
-}
-
-func (i *proxyAuthInterceptor) lastUsedCleanupLoop(ctx context.Context) {
-	ticker := time.NewTicker(lastUsedCleanupInterval)
-	defer ticker.Stop()
-
-	for {
-		select {
-		case <-ticker.C:
-			i.cleanupStaleLastUsed()
-		case <-ctx.Done():
-			return
-		}
-	}
-}
-
-// cleanupStaleLastUsed removes entries older than 2x the update interval.
-func (i *proxyAuthInterceptor) cleanupStaleLastUsed() {
-	i.lastUsedMu.Lock()
-	defer i.lastUsedMu.Unlock()
-
-	now := time.Now()
-	staleThreshold := 2 * lastUsedUpdateInterval
-	for id, lastUpdate := range i.lastUsedTimes {
-		if now.Sub(lastUpdate) > staleThreshold {
-			delete(i.lastUsedTimes, id)
-		}
-	}
-}
-
-func (i *proxyAuthInterceptor) close() {
-	i.cancel()
-	i.failureLimiter.stop()
-}
-
-// GetProxyTokenFromContext retrieves the validated proxy token from the context
-func GetProxyTokenFromContext(ctx context.Context) *types.ProxyAccessToken {
-	token, ok := ctx.Value(ProxyTokenContextKey).(*types.ProxyAccessToken)
-	if !ok {
-		return nil
-	}
-	return token
-}
-
-// wrappedServerStream wraps a grpc.ServerStream to provide a custom context
-type wrappedServerStream struct {
-	grpc.ServerStream
-	ctx context.Context
-}
-
-func (w *wrappedServerStream) Context() context.Context {
-	return w.ctx
-}
--- a/management/internals/shared/grpc/proxy_auth_ratelimit.go
+++ b/management/internals/shared/grpc/proxy_auth_ratelimit.go
@@ -1,134 +0,0 @@
-package grpc
-
-import (
-	"context"
-	"net"
-	"sync"
-	"time"
-
-	"github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/realip"
-	"golang.org/x/time/rate"
-	"google.golang.org/grpc/peer"
-)
-
-const (
-	// proxyAuthFailureBurst is the maximum number of failed attempts before rate limiting kicks in.
-	proxyAuthFailureBurst = 5
-	// proxyAuthLimiterCleanup is how often stale limiters are removed.
-	proxyAuthLimiterCleanup = 5 * time.Minute
-	// proxyAuthLimiterTTL is how long a limiter is kept after the last failure.
-	proxyAuthLimiterTTL = 15 * time.Minute
-)
-
-// defaultProxyAuthFailureRate is the token replenishment rate for failed auth attempts.
-// One token every 12 seconds = 5 per minute.
-var defaultProxyAuthFailureRate = rate.Every(12 * time.Second)
-
-// clientIP identifies a client by its IP address for rate limiting purposes.
-type clientIP = string
-
-type limiterEntry struct {
-	limiter    *rate.Limiter
-	lastAccess time.Time
-}
-
-// authFailureLimiter tracks per-IP rate limits for failed proxy authentication attempts.
-type authFailureLimiter struct {
-	mu          sync.Mutex
-	limiters    map[clientIP]*limiterEntry
-	failureRate rate.Limit
-	cancel      context.CancelFunc
-}
-
-func newAuthFailureLimiter() *authFailureLimiter {
-	return newAuthFailureLimiterWithRate(defaultProxyAuthFailureRate)
-}
-
-func newAuthFailureLimiterWithRate(failureRate rate.Limit) *authFailureLimiter {
-	ctx, cancel := context.WithCancel(context.Background())
-	l := &authFailureLimiter{
-		limiters:    make(map[clientIP]*limiterEntry),
-		failureRate: failureRate,
-		cancel:      cancel,
-	}
-	go l.cleanupLoop(ctx)
-	return l
-}
-
-// isLimited returns true if the given IP has exhausted its failure budget.
-func (l *authFailureLimiter) isLimited(ip clientIP) bool {
-	l.mu.Lock()
-	defer l.mu.Unlock()
-
-	entry, exists := l.limiters[ip]
-	if !exists {
-		return false
-	}
-
-	return entry.limiter.Tokens() < 1
-}
-
-// recordFailure consumes a token from the rate limiter for the given IP.
-func (l *authFailureLimiter) recordFailure(ip clientIP) {
-	l.mu.Lock()
-	defer l.mu.Unlock()
-
-	now := time.Now()
-	entry, exists := l.limiters[ip]
-	if !exists {
-		entry = &limiterEntry{
-			limiter: rate.NewLimiter(l.failureRate, proxyAuthFailureBurst),
-		}
-		l.limiters[ip] = entry
-	}
-	entry.lastAccess = now
-	entry.limiter.Allow()
-}
-
-func (l *authFailureLimiter) cleanupLoop(ctx context.Context) {
-	ticker := time.NewTicker(proxyAuthLimiterCleanup)
-	defer ticker.Stop()
-
-	for {
-		select {
-		case <-ticker.C:
-			l.cleanup()
-		case <-ctx.Done():
-			return
-		}
-	}
-}
-
-func (l *authFailureLimiter) cleanup() {
-	l.mu.Lock()
-	defer l.mu.Unlock()
-
-	now := time.Now()
-	for ip, entry := range l.limiters {
-		if now.Sub(entry.lastAccess) > proxyAuthLimiterTTL {
-			delete(l.limiters, ip)
-		}
-	}
-}
-
-func (l *authFailureLimiter) stop() {
-	l.cancel()
-}
-
-// peerIPFromContext extracts the client IP from the gRPC context.
-// Uses realip (from trusted proxy headers) first, falls back to the transport peer address.
-func peerIPFromContext(ctx context.Context) clientIP {
-	if addr, ok := realip.FromContext(ctx); ok {
-		return addr.String()
-	}
-
-	if p, ok := peer.FromContext(ctx); ok {
-		host, _, err := net.SplitHostPort(p.Addr.String())
-		if err != nil {
-			return p.Addr.String()
-		}
-		return host
-	}
-
-	return ""
-}
--- a/management/internals/shared/grpc/proxy_auth_ratelimit_test.go
+++ b/management/internals/shared/grpc/proxy_auth_ratelimit_test.go
@@ -1,98 +0,0 @@
-package grpc
-
-import (
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-	"golang.org/x/time/rate"
-)
-
-func TestAuthFailureLimiter_NotLimitedInitially(t *testing.T) {
-	l := newAuthFailureLimiter()
-	defer l.stop()
-
-	assert.False(t, l.isLimited("192.168.1.1"), "new IP should not be rate limited")
-}
-
-func TestAuthFailureLimiter_LimitedAfterBurst(t *testing.T) {
-	l := newAuthFailureLimiter()
-	defer l.stop()
-
-	ip := "192.168.1.1"
-	for i := 0; i < proxyAuthFailureBurst; i++ {
-		l.recordFailure(ip)
-	}
-
-	assert.True(t, l.isLimited(ip), "IP should be limited after exhausting burst")
-}
-
-func TestAuthFailureLimiter_DifferentIPsIndependent(t *testing.T) {
-	l := newAuthFailureLimiter()
-	defer l.stop()
-
-	for i := 0; i < proxyAuthFailureBurst; i++ {
-		l.recordFailure("192.168.1.1")
-	}
-
-	assert.True(t, l.isLimited("192.168.1.1"))
-	assert.False(t, l.isLimited("192.168.1.2"), "different IP should not be affected")
-}
-
-func TestAuthFailureLimiter_RecoveryOverTime(t *testing.T) {
-	l := newAuthFailureLimiterWithRate(rate.Limit(100)) // 100 tokens/sec for fast recovery
-	defer l.stop()
-
-	ip := "10.0.0.1"
-
-	// Exhaust burst
-	for i := 0; i < proxyAuthFailureBurst; i++ {
-		l.recordFailure(ip)
-	}
-	require.True(t, l.isLimited(ip))
-
-	// Wait for token replenishment
-	time.Sleep(50 * time.Millisecond)
-
-	assert.False(t, l.isLimited(ip), "should recover after tokens replenish")
-}
-
-func TestAuthFailureLimiter_Cleanup(t *testing.T) {
-	l := newAuthFailureLimiter()
-	defer l.stop()
-
-	l.recordFailure("10.0.0.1")
-
-	l.mu.Lock()
-	require.Len(t, l.limiters, 1)
-	// Backdate the entry so it looks stale
-	l.limiters["10.0.0.1"].lastAccess = time.Now().Add(-proxyAuthLimiterTTL - time.Minute)
-	l.mu.Unlock()
-
-	l.cleanup()
-
-	l.mu.Lock()
-	assert.Empty(t, l.limiters, "stale entries should be cleaned up")
-	l.mu.Unlock()
-}
-
-func TestAuthFailureLimiter_CleanupKeepsFresh(t *testing.T) {
-	l := newAuthFailureLimiter()
-	defer l.stop()
-
-	l.recordFailure("10.0.0.1")
-	l.recordFailure("10.0.0.2")
-
-	l.mu.Lock()
-	// Only backdate one entry
-	l.limiters["10.0.0.1"].lastAccess = time.Now().Add(-proxyAuthLimiterTTL - time.Minute)
-	l.mu.Unlock()
-
-	l.cleanup()
-
-	l.mu.Lock()
-	assert.Len(t, l.limiters, 1, "only stale entries should be removed")
-	assert.Contains(t, l.limiters, "10.0.0.2")
-	l.mu.Unlock()
-}
--- a/management/internals/shared/grpc/proxy_group_access_test.go
+++ b/management/internals/shared/grpc/proxy_group_access_test.go
@@ -1,381 +0,0 @@
-package grpc
-
-import (
-	"context"
-	"errors"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
-	"github.com/netbirdio/netbird/management/server/types"
-)
-
-type mockReverseProxyManager struct {
-	proxiesByAccount map[string][]*reverseproxy.Service
-	err              error
-}
-
-func (m *mockReverseProxyManager) GetAccountServices(ctx context.Context, accountID string) ([]*reverseproxy.Service, error) {
-	if m.err != nil {
-		return nil, m.err
-	}
-	return m.proxiesByAccount[accountID], nil
-}
-
-func (m *mockReverseProxyManager) GetGlobalServices(ctx context.Context) ([]*reverseproxy.Service, error) {
-	return nil, nil
-}
-
-func (m *mockReverseProxyManager) GetAllServices(ctx context.Context, accountID, userID string) ([]*reverseproxy.Service, error) {
-	return nil, nil
-}
-
-func (m *mockReverseProxyManager) GetService(ctx context.Context, accountID, userID, reverseProxyID string) (*reverseproxy.Service, error) {
-	return nil, nil
-}
-
-func (m *mockReverseProxyManager) CreateService(ctx context.Context, accountID, userID string, rp *reverseproxy.Service) (*reverseproxy.Service, error) {
-	return nil, nil
-}
-
-func (m *mockReverseProxyManager) UpdateService(ctx context.Context, accountID, userID string, rp *reverseproxy.Service) (*reverseproxy.Service, error) {
-	return nil, nil
-}
-
-func (m *mockReverseProxyManager) DeleteService(ctx context.Context, accountID, userID, reverseProxyID string) error {
-	return nil
-}
-
-func (m *mockReverseProxyManager) SetCertificateIssuedAt(ctx context.Context, accountID, reverseProxyID string) error {
-	return nil
-}
-
-func (m *mockReverseProxyManager) SetStatus(ctx context.Context, accountID, reverseProxyID string, status reverseproxy.ProxyStatus) error {
-	return nil
-}
-
-func (m *mockReverseProxyManager) ReloadAllServicesForAccount(ctx context.Context, accountID string) error {
-	return nil
-}
-
-func (m *mockReverseProxyManager) ReloadService(ctx context.Context, accountID, reverseProxyID string) error {
-	return nil
-}
-
-func (m *mockReverseProxyManager) GetServiceByID(ctx context.Context, accountID, reverseProxyID string) (*reverseproxy.Service, error) {
-	return nil, nil
-}
-
-func (m *mockReverseProxyManager) GetServiceIDByTargetID(_ context.Context, _, _ string) (string, error) {
-	return "", nil
-}
-
-type mockUsersManager struct {
-	users map[string]*types.User
-	err   error
-}
-
-func (m *mockUsersManager) GetUser(ctx context.Context, userID string) (*types.User, error) {
-	if m.err != nil {
-		return nil, m.err
-	}
-	user, ok := m.users[userID]
-	if !ok {
-		return nil, errors.New("user not found")
-	}
-	return user, nil
-}
-
-func TestValidateUserGroupAccess(t *testing.T) {
-	tests := []struct {
-		name             string
-		domain           string
-		userID           string
-		proxiesByAccount map[string][]*reverseproxy.Service
-		users            map[string]*types.User
-		proxyErr         error
-		userErr          error
-		expectErr        bool
-		expectErrMsg     string
-	}{
-		{
-			name:   "user not found",
-			domain: "app.example.com",
-			userID: "unknown-user",
-			proxiesByAccount: map[string][]*reverseproxy.Service{
-				"account1": {{Domain: "app.example.com", AccountID: "account1"}},
-			},
-			users:        map[string]*types.User{},
-			expectErr:    true,
-			expectErrMsg: "user not found",
-		},
-		{
-			name:             "proxy not found in user's account",
-			domain:           "app.example.com",
-			userID:           "user1",
-			proxiesByAccount: map[string][]*reverseproxy.Service{},
-			users: map[string]*types.User{
-				"user1": {Id: "user1", AccountID: "account1"},
-			},
-			expectErr:    true,
-			expectErrMsg: "reverse proxy not found",
-		},
-		{
-			name:   "proxy exists in different account - not accessible",
-			domain: "app.example.com",
-			userID: "user1",
-			proxiesByAccount: map[string][]*reverseproxy.Service{
-				"account2": {{Domain: "app.example.com", AccountID: "account2"}},
-			},
-			users: map[string]*types.User{
-				"user1": {Id: "user1", AccountID: "account1"},
-			},
-			expectErr:    true,
-			expectErrMsg: "reverse proxy not found",
-		},
-		{
-			name:   "no bearer auth configured - same account allows access",
-			domain: "app.example.com",
-			userID: "user1",
-			proxiesByAccount: map[string][]*reverseproxy.Service{
-				"account1": {{Domain: "app.example.com", AccountID: "account1", Auth: reverseproxy.AuthConfig{}}},
-			},
-			users: map[string]*types.User{
-				"user1": {Id: "user1", AccountID: "account1"},
-			},
-			expectErr: false,
-		},
-		{
-			name:   "bearer auth disabled - same account allows access",
-			domain: "app.example.com",
-			userID: "user1",
-			proxiesByAccount: map[string][]*reverseproxy.Service{
-				"account1": {{
-					Domain:    "app.example.com",
-					AccountID: "account1",
-					Auth: reverseproxy.AuthConfig{
-						BearerAuth: &reverseproxy.BearerAuthConfig{Enabled: false},
-					},
-				}},
-			},
-			users: map[string]*types.User{
-				"user1": {Id: "user1", AccountID: "account1"},
-			},
-			expectErr: false,
-		},
-		{
-			name:   "bearer auth enabled but no groups configured - same account allows access",
-			domain: "app.example.com",
-			userID: "user1",
-			proxiesByAccount: map[string][]*reverseproxy.Service{
-				"account1": {{
-					Domain:    "app.example.com",
-					AccountID: "account1",
-					Auth: reverseproxy.AuthConfig{
-						BearerAuth: &reverseproxy.BearerAuthConfig{
-							Enabled:            true,
-							DistributionGroups: []string{},
-						},
-					},
-				}},
-			},
-			users: map[string]*types.User{
-				"user1": {Id: "user1", AccountID: "account1"},
-			},
-			expectErr: false,
-		},
-		{
-			name:   "user not in allowed groups",
-			domain: "app.example.com",
-			userID: "user1",
-			proxiesByAccount: map[string][]*reverseproxy.Service{
-				"account1": {{
-					Domain:    "app.example.com",
-					AccountID: "account1",
-					Auth: reverseproxy.AuthConfig{
-						BearerAuth: &reverseproxy.BearerAuthConfig{
-							Enabled:            true,
-							DistributionGroups: []string{"group1", "group2"},
-						},
-					},
-				}},
-			},
-			users: map[string]*types.User{
-				"user1": {Id: "user1", AccountID: "account1", AutoGroups: []string{"group3", "group4"}},
-			},
-			expectErr:    true,
-			expectErrMsg: "not in allowed groups",
-		},
-		{
-			name:   "user in one of the allowed groups - allow access",
-			domain: "app.example.com",
-			userID: "user1",
-			proxiesByAccount: map[string][]*reverseproxy.Service{
-				"account1": {{
-					Domain:    "app.example.com",
-					AccountID: "account1",
-					Auth: reverseproxy.AuthConfig{
-						BearerAuth: &reverseproxy.BearerAuthConfig{
-							Enabled:            true,
-							DistributionGroups: []string{"group1", "group2"},
-						},
-					},
-				}},
-			},
-			users: map[string]*types.User{
-				"user1": {Id: "user1", AccountID: "account1", AutoGroups: []string{"group2", "group3"}},
-			},
-			expectErr: false,
-		},
-		{
-			name:   "user in all allowed groups - allow access",
-			domain: "app.example.com",
-			userID: "user1",
-			proxiesByAccount: map[string][]*reverseproxy.Service{
-				"account1": {{
-					Domain:    "app.example.com",
-					AccountID: "account1",
-					Auth: reverseproxy.AuthConfig{
-						BearerAuth: &reverseproxy.BearerAuthConfig{
-							Enabled:            true,
-							DistributionGroups: []string{"group1", "group2"},
-						},
-					},
-				}},
-			},
-			users: map[string]*types.User{
-				"user1": {Id: "user1", AccountID: "account1", AutoGroups: []string{"group1", "group2", "group3"}},
-			},
-			expectErr: false,
-		},
-		{
-			name:             "proxy manager error",
-			domain:           "app.example.com",
-			userID:           "user1",
-			proxiesByAccount: nil,
-			proxyErr:         errors.New("database error"),
-			users: map[string]*types.User{
-				"user1": {Id: "user1", AccountID: "account1"},
-			},
-			expectErr:    true,
-			expectErrMsg: "get account reverse proxies",
-		},
-		{
-			name:   "multiple proxies in account - finds correct one",
-			domain: "app2.example.com",
-			userID: "user1",
-			proxiesByAccount: map[string][]*reverseproxy.Service{
-				"account1": {
-					{Domain: "app1.example.com", AccountID: "account1"},
-					{Domain: "app2.example.com", AccountID: "account1", Auth: reverseproxy.AuthConfig{}},
-					{Domain: "app3.example.com", AccountID: "account1"},
-				},
-			},
-			users: map[string]*types.User{
-				"user1": {Id: "user1", AccountID: "account1"},
-			},
-			expectErr: false,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			server := &ProxyServiceServer{
-				reverseProxyManager: &mockReverseProxyManager{
-					proxiesByAccount: tt.proxiesByAccount,
-					err:              tt.proxyErr,
-				},
-				usersManager: &mockUsersManager{
-					users: tt.users,
-					err:   tt.userErr,
-				},
-			}
-
-			err := server.ValidateUserGroupAccess(context.Background(), tt.domain, tt.userID)
-
-			if tt.expectErr {
-				require.Error(t, err)
-				assert.Contains(t, err.Error(), tt.expectErrMsg)
-			} else {
-				require.NoError(t, err)
-			}
-		})
-	}
-}
-
-func TestGetAccountProxyByDomain(t *testing.T) {
-	tests := []struct {
-		name             string
-		accountID        string
-		domain           string
-		proxiesByAccount map[string][]*reverseproxy.Service
-		err              error
-		expectProxy      bool
-		expectErr        bool
-	}{
-		{
-			name:      "proxy found",
-			accountID: "account1",
-			domain:    "app.example.com",
-			proxiesByAccount: map[string][]*reverseproxy.Service{
-				"account1": {
-					{Domain: "other.example.com", AccountID: "account1"},
-					{Domain: "app.example.com", AccountID: "account1"},
-				},
-			},
-			expectProxy: true,
-			expectErr:   false,
-		},
-		{
-			name:      "proxy not found in account",
-			accountID: "account1",
-			domain:    "unknown.example.com",
-			proxiesByAccount: map[string][]*reverseproxy.Service{
-				"account1": {{Domain: "app.example.com", AccountID: "account1"}},
-			},
-			expectProxy: false,
-			expectErr:   true,
-		},
-		{
-			name:             "empty proxy list for account",
-			accountID:        "account1",
-			domain:           "app.example.com",
-			proxiesByAccount: map[string][]*reverseproxy.Service{},
-			expectProxy:      false,
-			expectErr:        true,
-		},
-		{
-			name:             "manager error",
-			accountID:        "account1",
-			domain:           "app.example.com",
-			proxiesByAccount: nil,
-			err:              errors.New("database error"),
-			expectProxy:      false,
-			expectErr:        true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			server := &ProxyServiceServer{
-				reverseProxyManager: &mockReverseProxyManager{
-					proxiesByAccount: tt.proxiesByAccount,
-					err:              tt.err,
-				},
-			}
-
-			proxy, err := server.getAccountProxyByDomain(context.Background(), tt.accountID, tt.domain)
-
-			if tt.expectErr {
-				require.Error(t, err)
-				assert.Nil(t, proxy)
-			} else {
-				require.NoError(t, err)
-				require.NotNil(t, proxy)
-				assert.Equal(t, tt.domain, proxy.Domain)
-			}
-		})
-	}
-}
--- a/management/internals/shared/grpc/server.go
+++ b/management/internals/shared/grpc/server.go
@@ -77,9 +77,8 @@ type Server struct {

 	oAuthConfigProvider idp.OAuthConfigProvider

-	syncSem        atomic.Int32
-	syncLimEnabled bool
-	syncLim        int32
+	syncSem atomic.Int32
+	syncLim int32
 }

 // NewServer creates a new Management server
@@ -109,7 +108,6 @@ func NewServer(
 	blockPeersWithSameConfig := strings.ToLower(os.Getenv(envBlockPeers)) == "true"

 	syncLim := int32(defaultSyncLim)
-	syncLimEnabled := true
 	if syncLimStr := os.Getenv(envConcurrentSyncs); syncLimStr != "" {
 		syncLimParsed, err := strconv.Atoi(syncLimStr)
 		if err != nil {
@@ -117,9 +115,6 @@ func NewServer(
 		} else {
 			//nolint:gosec
 			syncLim = int32(syncLimParsed)
-			if syncLim < 0 {
-				syncLimEnabled = false
-			}
 		}
 	}

@@ -139,8 +134,7 @@ func NewServer(

 		loginFilter: newLoginFilter(),

-		syncLim:        syncLim,
-		syncLimEnabled: syncLimEnabled,
+		syncLim: syncLim,
 	}, nil
 }

@@ -218,7 +212,7 @@ func (s *Server) Job(srv proto.ManagementService_JobServer) error {
 // Sync validates the existence of a connecting peer, sends an initial state (all available for the connecting peers) and
 // notifies the connected peer of any updates (e.g. new peers under the same account)
 func (s *Server) Sync(req *proto.EncryptedMessage, srv proto.ManagementService_SyncServer) error {
-	if s.syncLimEnabled && s.syncSem.Load() >= s.syncLim {
+	if s.syncSem.Load() >= s.syncLim {
 		return status.Errorf(codes.ResourceExhausted, "too many concurrent sync requests, please try again later")
 	}
 	s.syncSem.Add(1)
@@ -300,7 +294,7 @@ func (s *Server) Sync(req *proto.EncryptedMessage, srv proto.ManagementService_S
 	metahash := metaHash(peerMeta, realIP.String())
 	s.loginFilter.addLogin(peerKey.String(), metahash)

-	peer, netMap, postureChecks, dnsFwdPort, err := s.accountManager.SyncAndMarkPeer(ctx, accountID, peerKey.String(), peerMeta, realIP, reqStart)
+	peer, netMap, postureChecks, dnsFwdPort, err := s.accountManager.SyncAndMarkPeer(ctx, accountID, peerKey.String(), peerMeta, realIP)
 	if err != nil {
 		log.WithContext(ctx).Debugf("error while syncing peer %s: %v", peerKey.String(), err)
 		s.syncSem.Add(-1)
@@ -311,7 +305,7 @@ func (s *Server) Sync(req *proto.EncryptedMessage, srv proto.ManagementService_S
 	if err != nil {
 		log.WithContext(ctx).Debugf("error while sending initial sync for %s: %v", peerKey.String(), err)
 		s.syncSem.Add(-1)
-		s.cancelPeerRoutinesWithoutLock(ctx, accountID, peer, reqStart)
+		s.cancelPeerRoutines(ctx, accountID, peer)
 		return err
 	}

@@ -319,7 +313,7 @@ func (s *Server) Sync(req *proto.EncryptedMessage, srv proto.ManagementService_S
 	if err != nil {
 		log.WithContext(ctx).Debugf("error while notify peer connected for %s: %v", peerKey.String(), err)
 		s.syncSem.Add(-1)
-		s.cancelPeerRoutinesWithoutLock(ctx, accountID, peer, reqStart)
+		s.cancelPeerRoutines(ctx, accountID, peer)
 		return err
 	}

@@ -336,7 +330,7 @@ func (s *Server) Sync(req *proto.EncryptedMessage, srv proto.ManagementService_S

 	s.syncSem.Add(-1)

-	return s.handleUpdates(ctx, accountID, peerKey, peer, updates, srv, reqStart)
+	return s.handleUpdates(ctx, accountID, peerKey, peer, updates, srv)
 }

 func (s *Server) handleHandshake(ctx context.Context, srv proto.ManagementService_JobServer) (wgtypes.Key, error) {
@@ -404,20 +398,11 @@ func (s *Server) sendJobsLoop(ctx context.Context, accountID string, peerKey wgt
 }

 // handleUpdates sends updates to the connected peer until the updates channel is closed.
-// It implements a backpressure mechanism that sends the first update immediately,
-// then debounces subsequent rapid updates, ensuring only the latest update is sent
-// after a quiet period.
-func (s *Server) handleUpdates(ctx context.Context, accountID string, peerKey wgtypes.Key, peer *nbpeer.Peer, updates chan *network_map.UpdateMessage, srv proto.ManagementService_SyncServer, streamStartTime time.Time) error {
+func (s *Server) handleUpdates(ctx context.Context, accountID string, peerKey wgtypes.Key, peer *nbpeer.Peer, updates chan *network_map.UpdateMessage, srv proto.ManagementService_SyncServer) error {
 	log.WithContext(ctx).Tracef("starting to handle updates for peer %s", peerKey.String())
-
-	// Create a debouncer for this peer connection
-	debouncer := NewUpdateDebouncer(1000 * time.Millisecond)
-	defer debouncer.Stop()
-
 	for {
 		select {
 		// condition when there are some updates
-		// todo set the updates channel size to 1
 		case update, open := <-updates:
 			if s.appMetrics != nil {
 				s.appMetrics.GRPCMetrics().UpdateChannelQueueLength(len(updates) + 1)
@@ -425,38 +410,20 @@ func (s *Server) handleUpdates(ctx context.Context, accountID string, peerKey wg

 			if !open {
 				log.WithContext(ctx).Debugf("updates channel for peer %s was closed", peerKey.String())
-				s.cancelPeerRoutines(ctx, accountID, peer, streamStartTime)
+				s.cancelPeerRoutines(ctx, accountID, peer)
 				return nil
 			}
-
 			log.WithContext(ctx).Debugf("received an update for peer %s", peerKey.String())
-			if debouncer.ProcessUpdate(update) {
-				// Send immediately (first update or after quiet period)
-				if err := s.sendUpdate(ctx, accountID, peerKey, peer, update, srv, streamStartTime); err != nil {
-					log.WithContext(ctx).Debugf("error while sending an update to peer %s: %v", peerKey.String(), err)
-					return err
-				}
-			}
-
-		// Timer expired - quiet period reached, send pending updates if any
-		case <-debouncer.TimerChannel():
-			pendingUpdates := debouncer.GetPendingUpdates()
-			if len(pendingUpdates) == 0 {
-				continue
-			}
-			log.WithContext(ctx).Debugf("sending %d debounced update(s) for peer %s", len(pendingUpdates), peerKey.String())
-			for _, pendingUpdate := range pendingUpdates {
-				if err := s.sendUpdate(ctx, accountID, peerKey, peer, pendingUpdate, srv, streamStartTime); err != nil {
-					log.WithContext(ctx).Debugf("error while sending an update to peer %s: %v", peerKey.String(), err)
-					return err
-				}
+			if err := s.sendUpdate(ctx, accountID, peerKey, peer, update, srv); err != nil {
+				log.WithContext(ctx).Debugf("error while sending an update to peer %s: %v", peerKey.String(), err)
+				return err
 			}

 		// condition when client <-> server connection has been terminated
 		case <-srv.Context().Done():
 			// happens when connection drops, e.g. client disconnects
 			log.WithContext(ctx).Debugf("stream of peer %s has been closed", peerKey.String())
-			s.cancelPeerRoutines(ctx, accountID, peer, streamStartTime)
+			s.cancelPeerRoutines(ctx, accountID, peer)
 			return srv.Context().Err()
 		}
 	}
@@ -464,16 +431,16 @@ func (s *Server) handleUpdates(ctx context.Context, accountID string, peerKey wg

 // sendUpdate encrypts the update message using the peer key and the server's wireguard key,
 // then sends the encrypted message to the connected peer via the sync server.
-func (s *Server) sendUpdate(ctx context.Context, accountID string, peerKey wgtypes.Key, peer *nbpeer.Peer, update *network_map.UpdateMessage, srv proto.ManagementService_SyncServer, streamStartTime time.Time) error {
+func (s *Server) sendUpdate(ctx context.Context, accountID string, peerKey wgtypes.Key, peer *nbpeer.Peer, update *network_map.UpdateMessage, srv proto.ManagementService_SyncServer) error {
 	key, err := s.secretsManager.GetWGKey()
 	if err != nil {
-		s.cancelPeerRoutines(ctx, accountID, peer, streamStartTime)
+		s.cancelPeerRoutines(ctx, accountID, peer)
 		return status.Errorf(codes.Internal, "failed processing update message")
 	}

 	encryptedResp, err := encryption.EncryptMessage(peerKey, key, update.Update)
 	if err != nil {
-		s.cancelPeerRoutines(ctx, accountID, peer, streamStartTime)
+		s.cancelPeerRoutines(ctx, accountID, peer)
 		return status.Errorf(codes.Internal, "failed processing update message")
 	}
 	err = srv.Send(&proto.EncryptedMessage{
@@ -481,7 +448,7 @@ func (s *Server) sendUpdate(ctx context.Context, accountID string, peerKey wgtyp
 		Body:     encryptedResp,
 	})
 	if err != nil {
-		s.cancelPeerRoutines(ctx, accountID, peer, streamStartTime)
+		s.cancelPeerRoutines(ctx, accountID, peer)
 		return status.Errorf(codes.Internal, "failed sending update message")
 	}
 	log.WithContext(ctx).Debugf("sent an update to peer %s", peerKey.String())
@@ -513,15 +480,11 @@ func (s *Server) sendJob(ctx context.Context, peerKey wgtypes.Key, job *job.Even
 	return nil
 }

-func (s *Server) cancelPeerRoutines(ctx context.Context, accountID string, peer *nbpeer.Peer, streamStartTime time.Time) {
+func (s *Server) cancelPeerRoutines(ctx context.Context, accountID string, peer *nbpeer.Peer) {
 	unlock := s.acquirePeerLockByUID(ctx, peer.Key)
 	defer unlock()

-	s.cancelPeerRoutinesWithoutLock(ctx, accountID, peer, streamStartTime)
-}
-
-func (s *Server) cancelPeerRoutinesWithoutLock(ctx context.Context, accountID string, peer *nbpeer.Peer, streamStartTime time.Time) {
-	err := s.accountManager.OnPeerDisconnected(ctx, accountID, peer.Key, streamStartTime)
+	err := s.accountManager.OnPeerDisconnected(ctx, accountID, peer.Key)
 	if err != nil {
 		log.WithContext(ctx).Errorf("failed to disconnect peer %s properly: %v", peer.Key, err)
 	}
--- a/management/internals/shared/grpc/token_mgr.go
+++ b/management/internals/shared/grpc/token_mgr.go
@@ -242,10 +242,7 @@ func (m *TimeBasedAuthSecretsManager) pushNewTURNAndRelayTokens(ctx context.Cont
 	m.extendNetbirdConfig(ctx, peerID, accountID, update)

 	log.WithContext(ctx).Debugf("sending new TURN credentials to peer %s", peerID)
-	m.updateManager.SendUpdate(ctx, peerID, &network_map.UpdateMessage{
-		Update:      update,
-		MessageType: network_map.MessageTypeControlConfig,
-	})
+	m.updateManager.SendUpdate(ctx, peerID, &network_map.UpdateMessage{Update: update})
 }

 func (m *TimeBasedAuthSecretsManager) pushNewRelayTokens(ctx context.Context, accountID, peerID string) {
@@ -269,10 +266,7 @@ func (m *TimeBasedAuthSecretsManager) pushNewRelayTokens(ctx context.Context, ac
 	m.extendNetbirdConfig(ctx, peerID, accountID, update)

 	log.WithContext(ctx).Debugf("sending new relay credentials to peer %s", peerID)
-	m.updateManager.SendUpdate(ctx, peerID, &network_map.UpdateMessage{
-		Update:      update,
-		MessageType: network_map.MessageTypeControlConfig,
-	})
+	m.updateManager.SendUpdate(ctx, peerID, &network_map.UpdateMessage{Update: update})
 }

 func (m *TimeBasedAuthSecretsManager) extendNetbirdConfig(ctx context.Context, peerID, accountID string, update *proto.SyncResponse) {
--- a/management/internals/shared/grpc/update_debouncer.go
+++ b/management/internals/shared/grpc/update_debouncer.go
@@ -1,103 +0,0 @@
-package grpc
-
-import (
-	"time"
-
-	"github.com/netbirdio/netbird/management/internals/controllers/network_map"
-)
-
-// UpdateDebouncer implements a backpressure mechanism that:
-// - Sends the first update immediately
-// - Coalesces rapid subsequent network map updates (only latest matters)
-// - Queues control/config updates (all must be delivered)
-// - Preserves the order of messages (important for control configs between network maps)
-// - Ensures pending updates are sent after a quiet period
-type UpdateDebouncer struct {
-	debounceInterval time.Duration
-	timer            *time.Timer
-	pendingUpdates   []*network_map.UpdateMessage // Queue that preserves order
-	timerC           <-chan time.Time
-}
-
-// NewUpdateDebouncer creates a new debouncer with the specified interval
-func NewUpdateDebouncer(interval time.Duration) *UpdateDebouncer {
-	return &UpdateDebouncer{
-		debounceInterval: interval,
-	}
-}
-
-// ProcessUpdate handles an incoming update and returns whether it should be sent immediately
-func (d *UpdateDebouncer) ProcessUpdate(update *network_map.UpdateMessage) bool {
-	if d.timer == nil {
-		// No active debounce timer, signal to send immediately
-		// and start the debounce period
-		d.startTimer()
-		return true
-	}
-
-	// Already in debounce period, accumulate this update preserving order
-	// Check if we should coalesce with the last pending update
-	if len(d.pendingUpdates) > 0 &&
-		update.MessageType == network_map.MessageTypeNetworkMap &&
-		d.pendingUpdates[len(d.pendingUpdates)-1].MessageType == network_map.MessageTypeNetworkMap {
-		// Replace the last network map with this one (coalesce consecutive network maps)
-		d.pendingUpdates[len(d.pendingUpdates)-1] = update
-	} else {
-		// Append to the queue (preserves order for control configs and non-consecutive network maps)
-		d.pendingUpdates = append(d.pendingUpdates, update)
-	}
-	d.resetTimer()
-	return false
-}
-
-// TimerChannel returns the timer channel for select statements
-func (d *UpdateDebouncer) TimerChannel() <-chan time.Time {
-	if d.timer == nil {
-		return nil
-	}
-	return d.timerC
-}
-
-// GetPendingUpdates returns and clears all pending updates after timer expiration.
-// Updates are returned in the order they were received, with consecutive network maps
-// already coalesced to only the latest one.
-// If there were pending updates, it restarts the timer to continue debouncing.
-// If there were no pending updates, it clears the timer (true quiet period).
-func (d *UpdateDebouncer) GetPendingUpdates() []*network_map.UpdateMessage {
-	updates := d.pendingUpdates
-	d.pendingUpdates = nil
-
-	if len(updates) > 0 {
-		// There were pending updates, so updates are still coming rapidly
-		// Restart the timer to continue debouncing mode
-		if d.timer != nil {
-			d.timer.Reset(d.debounceInterval)
-		}
-	} else {
-		// No pending updates means true quiet period - return to immediate mode
-		d.timer = nil
-		d.timerC = nil
-	}
-
-	return updates
-}
-
-// Stop stops the debouncer and cleans up resources
-func (d *UpdateDebouncer) Stop() {
-	if d.timer != nil {
-		d.timer.Stop()
-		d.timer = nil
-		d.timerC = nil
-	}
-	d.pendingUpdates = nil
-}
-
-func (d *UpdateDebouncer) startTimer() {
-	d.timer = time.NewTimer(d.debounceInterval)
-	d.timerC = d.timer.C
-}
-
-func (d *UpdateDebouncer) resetTimer() {
-	d.timer.Stop()
-	d.timer.Reset(d.debounceInterval)
-}
--- a/management/internals/shared/grpc/update_debouncer_test.go
+++ b/management/internals/shared/grpc/update_debouncer_test.go
@@ -1,587 +0,0 @@
-package grpc
-
-import (
-	"testing"
-	"time"
-
-	"github.com/netbirdio/netbird/management/internals/controllers/network_map"
-	"github.com/netbirdio/netbird/shared/management/proto"
-)
-
-func TestUpdateDebouncer_FirstUpdateSentImmediately(t *testing.T) {
-	debouncer := NewUpdateDebouncer(50 * time.Millisecond)
-	defer debouncer.Stop()
-
-	update := &network_map.UpdateMessage{
-		Update:      &proto.SyncResponse{},
-		MessageType: network_map.MessageTypeNetworkMap,
-	}
-
-	shouldSend := debouncer.ProcessUpdate(update)
-
-	if !shouldSend {
-		t.Error("First update should be sent immediately")
-	}
-
-	if debouncer.TimerChannel() == nil {
-		t.Error("Timer should be started after first update")
-	}
-}
-
-func TestUpdateDebouncer_RapidUpdatesCoalesced(t *testing.T) {
-	debouncer := NewUpdateDebouncer(50 * time.Millisecond)
-	defer debouncer.Stop()
-
-	update1 := &network_map.UpdateMessage{
-		Update:      &proto.SyncResponse{},
-		MessageType: network_map.MessageTypeNetworkMap,
-	}
-	update2 := &network_map.UpdateMessage{
-		Update:      &proto.SyncResponse{},
-		MessageType: network_map.MessageTypeNetworkMap,
-	}
-	update3 := &network_map.UpdateMessage{
-		Update:      &proto.SyncResponse{},
-		MessageType: network_map.MessageTypeNetworkMap,
-	}
-
-	// First update should be sent immediately
-	if !debouncer.ProcessUpdate(update1) {
-		t.Error("First update should be sent immediately")
-	}
-
-	// Rapid subsequent updates should be coalesced
-	if debouncer.ProcessUpdate(update2) {
-		t.Error("Second rapid update should not be sent immediately")
-	}
-
-	if debouncer.ProcessUpdate(update3) {
-		t.Error("Third rapid update should not be sent immediately")
-	}
-
-	// Wait for debounce period
-	select {
-	case <-debouncer.TimerChannel():
-		pendingUpdates := debouncer.GetPendingUpdates()
-		if len(pendingUpdates) != 1 {
-			t.Errorf("Should get exactly 1 pending update, got %d", len(pendingUpdates))
-		}
-		if pendingUpdates[0] != update3 {
-			t.Error("Should get the last update (update3)")
-		}
-	case <-time.After(100 * time.Millisecond):
-		t.Error("Timer should have fired")
-	}
-}
-
-func TestUpdateDebouncer_LastUpdateAlwaysSent(t *testing.T) {
-	debouncer := NewUpdateDebouncer(30 * time.Millisecond)
-	defer debouncer.Stop()
-
-	update1 := &network_map.UpdateMessage{
-		Update:      &proto.SyncResponse{},
-		MessageType: network_map.MessageTypeNetworkMap,
-	}
-	update2 := &network_map.UpdateMessage{
-		Update:      &proto.SyncResponse{},
-		MessageType: network_map.MessageTypeNetworkMap,
-	}
-
-	// Send first update
-	debouncer.ProcessUpdate(update1)
-
-	// Send second update within debounce period
-	debouncer.ProcessUpdate(update2)
-
-	// Wait for timer
-	select {
-	case <-debouncer.TimerChannel():
-		pendingUpdates := debouncer.GetPendingUpdates()
-		if len(pendingUpdates) != 1 {
-			t.Errorf("Should get exactly 1 pending update, got %d", len(pendingUpdates))
-		}
-		if pendingUpdates[0] != update2 {
-			t.Error("Should get the last update")
-		}
-		if pendingUpdates[0] == update1 {
-			t.Error("Should not get the first update")
-		}
-	case <-time.After(100 * time.Millisecond):
-		t.Error("Timer should have fired")
-	}
-}
-
-func TestUpdateDebouncer_TimerResetOnNewUpdate(t *testing.T) {
-	debouncer := NewUpdateDebouncer(50 * time.Millisecond)
-	defer debouncer.Stop()
-
-	update1 := &network_map.UpdateMessage{
-		Update:      &proto.SyncResponse{},
-		MessageType: network_map.MessageTypeNetworkMap,
-	}
-	update2 := &network_map.UpdateMessage{
-		Update:      &proto.SyncResponse{},
-		MessageType: network_map.MessageTypeNetworkMap,
-	}
-	update3 := &network_map.UpdateMessage{
-		Update:      &proto.SyncResponse{},
-		MessageType: network_map.MessageTypeNetworkMap,
-	}
-
-	// Send first update
-	debouncer.ProcessUpdate(update1)
-
-	// Wait a bit, but not the full debounce period
-	time.Sleep(30 * time.Millisecond)
-
-	// Send second update - should reset timer
-	debouncer.ProcessUpdate(update2)
-
-	// Wait a bit more
-	time.Sleep(30 * time.Millisecond)
-
-	// Send third update - should reset timer again
-	debouncer.ProcessUpdate(update3)
-
-	// Now wait for the timer (should fire after last update's reset)
-	select {
-	case <-debouncer.TimerChannel():
-		pendingUpdates := debouncer.GetPendingUpdates()
-		if len(pendingUpdates) != 1 {
-			t.Errorf("Should get exactly 1 pending update, got %d", len(pendingUpdates))
-		}
-		if pendingUpdates[0] != update3 {
-			t.Error("Should get the last update (update3)")
-		}
-		// Timer should be restarted since there was a pending update
-		if debouncer.TimerChannel() == nil {
-			t.Error("Timer should be restarted after sending pending update")
-		}
-	case <-time.After(150 * time.Millisecond):
-		t.Error("Timer should have fired")
-	}
-}
-
-func TestUpdateDebouncer_TimerRestartsAfterPendingUpdateSent(t *testing.T) {
-	debouncer := NewUpdateDebouncer(30 * time.Millisecond)
-	defer debouncer.Stop()
-
-	update1 := &network_map.UpdateMessage{
-		Update:      &proto.SyncResponse{},
-		MessageType: network_map.MessageTypeNetworkMap,
-	}
-	update2 := &network_map.UpdateMessage{
-		Update:      &proto.SyncResponse{},
-		MessageType: network_map.MessageTypeNetworkMap,
-	}
-	update3 := &network_map.UpdateMessage{
-		Update:      &proto.SyncResponse{},
-		MessageType: network_map.MessageTypeNetworkMap,
-	}
-
-	// First update sent immediately
-	debouncer.ProcessUpdate(update1)
-
-	// Second update coalesced
-	debouncer.ProcessUpdate(update2)
-
-	// Wait for timer to expire
-	select {
-	case <-debouncer.TimerChannel():
-		pendingUpdates := debouncer.GetPendingUpdates()
-
-		if len(pendingUpdates) == 0 {
-			t.Fatal("Should have pending update")
-		}
-
-		// After sending pending update, timer is restarted, so next update is NOT immediate
-		if debouncer.ProcessUpdate(update3) {
-			t.Error("Update after debounced send should not be sent immediately (timer restarted)")
-		}
-
-		// Wait for the restarted timer and verify update3 is pending
-		select {
-		case <-debouncer.TimerChannel():
-			finalUpdates := debouncer.GetPendingUpdates()
-			if len(finalUpdates) != 1 || finalUpdates[0] != update3 {
-				t.Error("Should get update3 as pending")
-			}
-		case <-time.After(100 * time.Millisecond):
-			t.Error("Timer should have fired for restarted timer")
-		}
-	case <-time.After(100 * time.Millisecond):
-		t.Error("Timer should have fired")
-	}
-}
-
-func TestUpdateDebouncer_StopCleansUp(t *testing.T) {
-	debouncer := NewUpdateDebouncer(50 * time.Millisecond)
-
-	update := &network_map.UpdateMessage{
-		Update:      &proto.SyncResponse{},
-		MessageType: network_map.MessageTypeNetworkMap,
-	}
-
-	// Send update to start timer
-	debouncer.ProcessUpdate(update)
-
-	// Stop should clean up
-	debouncer.Stop()
-
-	// Multiple stops should be safe
-	debouncer.Stop()
-}
-
-func TestUpdateDebouncer_HighFrequencyUpdates(t *testing.T) {
-	debouncer := NewUpdateDebouncer(50 * time.Millisecond)
-	defer debouncer.Stop()
-
-	// Simulate high-frequency updates
-	var lastUpdate *network_map.UpdateMessage
-	sentImmediately := 0
-	for i := 0; i < 100; i++ {
-		update := &network_map.UpdateMessage{
-			Update: &proto.SyncResponse{
-				NetworkMap: &proto.NetworkMap{
-					Serial: uint64(i),
-				},
-			},
-			MessageType: network_map.MessageTypeNetworkMap,
-		}
-		lastUpdate = update
-		if debouncer.ProcessUpdate(update) {
-			sentImmediately++
-		}
-		time.Sleep(1 * time.Millisecond) // Very rapid updates
-	}
-
-	// Only first update should be sent immediately
-	if sentImmediately != 1 {
-		t.Errorf("Expected only 1 update sent immediately, got %d", sentImmediately)
-	}
-
-	// Wait for debounce period
-	select {
-	case <-debouncer.TimerChannel():
-		pendingUpdates := debouncer.GetPendingUpdates()
-		if len(pendingUpdates) != 1 {
-			t.Errorf("Should get exactly 1 pending update, got %d", len(pendingUpdates))
-		}
-		if pendingUpdates[0] != lastUpdate {
-			t.Error("Should get the very last update")
-		}
-		if pendingUpdates[0].Update.NetworkMap.Serial != 99 {
-			t.Errorf("Expected serial 99, got %d", pendingUpdates[0].Update.NetworkMap.Serial)
-		}
-	case <-time.After(200 * time.Millisecond):
-		t.Error("Timer should have fired")
-	}
-}
-
-func TestUpdateDebouncer_NoUpdatesAfterFirst(t *testing.T) {
-	debouncer := NewUpdateDebouncer(30 * time.Millisecond)
-	defer debouncer.Stop()
-
-	update := &network_map.UpdateMessage{
-		Update:      &proto.SyncResponse{},
-		MessageType: network_map.MessageTypeNetworkMap,
-	}
-
-	// Send first update
-	if !debouncer.ProcessUpdate(update) {
-		t.Error("First update should be sent immediately")
-	}
-
-	// Wait for timer to expire with no additional updates (true quiet period)
-	select {
-	case <-debouncer.TimerChannel():
-		pendingUpdates := debouncer.GetPendingUpdates()
-		if len(pendingUpdates) != 0 {
-			t.Error("Should have no pending updates")
-		}
-		// After true quiet period, timer should be cleared
-		if debouncer.TimerChannel() != nil {
-			t.Error("Timer should be cleared after quiet period")
-		}
-	case <-time.After(100 * time.Millisecond):
-		t.Error("Timer should have fired")
-	}
-}
-
-func TestUpdateDebouncer_IntermediateUpdatesDropped(t *testing.T) {
-	debouncer := NewUpdateDebouncer(50 * time.Millisecond)
-	defer debouncer.Stop()
-
-	updates := make([]*network_map.UpdateMessage, 5)
-	for i := range updates {
-		updates[i] = &network_map.UpdateMessage{
-			Update: &proto.SyncResponse{
-				NetworkMap: &proto.NetworkMap{
-					Serial: uint64(i),
-				},
-			},
-			MessageType: network_map.MessageTypeNetworkMap,
-		}
-	}
-
-	// First update sent immediately
-	debouncer.ProcessUpdate(updates[0])
-
-	// Send updates 1, 2, 3, 4 rapidly - only last one should remain pending
-	debouncer.ProcessUpdate(updates[1])
-	debouncer.ProcessUpdate(updates[2])
-	debouncer.ProcessUpdate(updates[3])
-	debouncer.ProcessUpdate(updates[4])
-
-	// Wait for debounce
-	<-debouncer.TimerChannel()
-	pendingUpdates := debouncer.GetPendingUpdates()
-
-	if len(pendingUpdates) != 1 {
-		t.Errorf("Should get exactly 1 pending update, got %d", len(pendingUpdates))
-	}
-	if pendingUpdates[0].Update.NetworkMap.Serial != 4 {
-		t.Errorf("Expected only the last update (serial 4), got serial %d", pendingUpdates[0].Update.NetworkMap.Serial)
-	}
-}
-
-func TestUpdateDebouncer_TrueQuietPeriodResetsToImmediateMode(t *testing.T) {
-	debouncer := NewUpdateDebouncer(30 * time.Millisecond)
-	defer debouncer.Stop()
-
-	update1 := &network_map.UpdateMessage{
-		Update:      &proto.SyncResponse{},
-		MessageType: network_map.MessageTypeNetworkMap,
-	}
-	update2 := &network_map.UpdateMessage{
-		Update:      &proto.SyncResponse{},
-		MessageType: network_map.MessageTypeNetworkMap,
-	}
-
-	// First update sent immediately
-	if !debouncer.ProcessUpdate(update1) {
-		t.Error("First update should be sent immediately")
-	}
-
-	// Wait for timer without sending any more updates (true quiet period)
-	<-debouncer.TimerChannel()
-	pendingUpdates := debouncer.GetPendingUpdates()
-
-	if len(pendingUpdates) != 0 {
-		t.Error("Should have no pending updates during quiet period")
-	}
-
-	// After true quiet period, next update should be sent immediately
-	if !debouncer.ProcessUpdate(update2) {
-		t.Error("Update after true quiet period should be sent immediately")
-	}
-}
-
-func TestUpdateDebouncer_ContinuousHighFrequencyStaysInDebounceMode(t *testing.T) {
-	debouncer := NewUpdateDebouncer(50 * time.Millisecond)
-	defer debouncer.Stop()
-
-	// Simulate continuous high-frequency updates
-	for i := 0; i < 10; i++ {
-		update := &network_map.UpdateMessage{
-			Update: &proto.SyncResponse{
-				NetworkMap: &proto.NetworkMap{
-					Serial: uint64(i),
-				},
-			},
-			MessageType: network_map.MessageTypeNetworkMap,
-		}
-
-		if i == 0 {
-			// First one sent immediately
-			if !debouncer.ProcessUpdate(update) {
-				t.Error("First update should be sent immediately")
-			}
-		} else {
-			// All others should be coalesced (not sent immediately)
-			if debouncer.ProcessUpdate(update) {
-				t.Errorf("Update %d should not be sent immediately", i)
-			}
-		}
-
-		// Wait a bit but send next update before debounce expires
-		time.Sleep(20 * time.Millisecond)
-	}
-
-	// Now wait for final debounce
-	select {
-	case <-debouncer.TimerChannel():
-		pendingUpdates := debouncer.GetPendingUpdates()
-		if len(pendingUpdates) == 0 {
-			t.Fatal("Should have the last update pending")
-		}
-		if pendingUpdates[0].Update.NetworkMap.Serial != 9 {
-			t.Errorf("Expected serial 9, got %d", pendingUpdates[0].Update.NetworkMap.Serial)
-		}
-	case <-time.After(200 * time.Millisecond):
-		t.Error("Timer should have fired")
-	}
-}
-
-func TestUpdateDebouncer_ControlConfigMessagesQueued(t *testing.T) {
-	debouncer := NewUpdateDebouncer(50 * time.Millisecond)
-	defer debouncer.Stop()
-
-	netmapUpdate := &network_map.UpdateMessage{
-		Update:      &proto.SyncResponse{NetworkMap: &proto.NetworkMap{Serial: 1}},
-		MessageType: network_map.MessageTypeNetworkMap,
-	}
-	tokenUpdate1 := &network_map.UpdateMessage{
-		Update:      &proto.SyncResponse{NetbirdConfig: &proto.NetbirdConfig{}},
-		MessageType: network_map.MessageTypeControlConfig,
-	}
-	tokenUpdate2 := &network_map.UpdateMessage{
-		Update:      &proto.SyncResponse{NetbirdConfig: &proto.NetbirdConfig{}},
-		MessageType: network_map.MessageTypeControlConfig,
-	}
-
-	// First update sent immediately
-	debouncer.ProcessUpdate(netmapUpdate)
-
-	// Send multiple control config updates - they should all be queued
-	debouncer.ProcessUpdate(tokenUpdate1)
-	debouncer.ProcessUpdate(tokenUpdate2)
-
-	// Wait for debounce period
-	select {
-	case <-debouncer.TimerChannel():
-		pendingUpdates := debouncer.GetPendingUpdates()
-		// Should get both control config updates
-		if len(pendingUpdates) != 2 {
-			t.Errorf("Expected 2 control config updates, got %d", len(pendingUpdates))
-		}
-		// Control configs should come first
-		if pendingUpdates[0] != tokenUpdate1 {
-			t.Error("First pending update should be tokenUpdate1")
-		}
-		if pendingUpdates[1] != tokenUpdate2 {
-			t.Error("Second pending update should be tokenUpdate2")
-		}
-	case <-time.After(200 * time.Millisecond):
-		t.Error("Timer should have fired")
-	}
-}
-
-func TestUpdateDebouncer_MixedMessageTypes(t *testing.T) {
-	debouncer := NewUpdateDebouncer(50 * time.Millisecond)
-	defer debouncer.Stop()
-
-	netmapUpdate1 := &network_map.UpdateMessage{
-		Update:      &proto.SyncResponse{NetworkMap: &proto.NetworkMap{Serial: 1}},
-		MessageType: network_map.MessageTypeNetworkMap,
-	}
-	netmapUpdate2 := &network_map.UpdateMessage{
-		Update:      &proto.SyncResponse{NetworkMap: &proto.NetworkMap{Serial: 2}},
-		MessageType: network_map.MessageTypeNetworkMap,
-	}
-	tokenUpdate := &network_map.UpdateMessage{
-		Update:      &proto.SyncResponse{NetbirdConfig: &proto.NetbirdConfig{}},
-		MessageType: network_map.MessageTypeControlConfig,
-	}
-
-	// First update sent immediately
-	debouncer.ProcessUpdate(netmapUpdate1)
-
-	// Send token update and network map update
-	debouncer.ProcessUpdate(tokenUpdate)
-	debouncer.ProcessUpdate(netmapUpdate2)
-
-	// Wait for debounce period
-	select {
-	case <-debouncer.TimerChannel():
-		pendingUpdates := debouncer.GetPendingUpdates()
-		// Should get 2 updates in order: token, then network map
-		if len(pendingUpdates) != 2 {
-			t.Errorf("Expected 2 pending updates, got %d", len(pendingUpdates))
-		}
-		// Token update should come first (preserves order)
-		if pendingUpdates[0] != tokenUpdate {
-			t.Error("First pending update should be tokenUpdate")
-		}
-		// Network map update should come second
-		if pendingUpdates[1] != netmapUpdate2 {
-			t.Error("Second pending update should be netmapUpdate2")
-		}
-	case <-time.After(200 * time.Millisecond):
-		t.Error("Timer should have fired")
-	}
-}
-
-func TestUpdateDebouncer_OrderPreservation(t *testing.T) {
-	debouncer := NewUpdateDebouncer(50 * time.Millisecond)
-	defer debouncer.Stop()
-
-	// Simulate: 50 network maps -> 1 control config -> 50 network maps
-	// Expected result: 3 messages (netmap, controlConfig, netmap)
-
-	// Send first network map immediately
-	firstNetmap := &network_map.UpdateMessage{
-		Update:      &proto.SyncResponse{NetworkMap: &proto.NetworkMap{Serial: 0}},
-		MessageType: network_map.MessageTypeNetworkMap,
-	}
-	if !debouncer.ProcessUpdate(firstNetmap) {
-		t.Error("First update should be sent immediately")
-	}
-
-	// Send 49 more network maps (will be coalesced to last one)
-	var lastNetmapBatch1 *network_map.UpdateMessage
-	for i := 1; i < 50; i++ {
-		lastNetmapBatch1 = &network_map.UpdateMessage{
-			Update:      &proto.SyncResponse{NetworkMap: &proto.NetworkMap{Serial: uint64(i)}},
-			MessageType: network_map.MessageTypeNetworkMap,
-		}
-		debouncer.ProcessUpdate(lastNetmapBatch1)
-	}
-
-	// Send 1 control config
-	controlConfig := &network_map.UpdateMessage{
-		Update:      &proto.SyncResponse{NetbirdConfig: &proto.NetbirdConfig{}},
-		MessageType: network_map.MessageTypeControlConfig,
-	}
-	debouncer.ProcessUpdate(controlConfig)
-
-	// Send 50 more network maps (will be coalesced to last one)
-	var lastNetmapBatch2 *network_map.UpdateMessage
-	for i := 50; i < 100; i++ {
-		lastNetmapBatch2 = &network_map.UpdateMessage{
-			Update:      &proto.SyncResponse{NetworkMap: &proto.NetworkMap{Serial: uint64(i)}},
-			MessageType: network_map.MessageTypeNetworkMap,
-		}
-		debouncer.ProcessUpdate(lastNetmapBatch2)
-	}
-
-	// Wait for debounce period
-	select {
-	case <-debouncer.TimerChannel():
-		pendingUpdates := debouncer.GetPendingUpdates()
-		// Should get exactly 3 updates: netmap, controlConfig, netmap
-		if len(pendingUpdates) != 3 {
-			t.Errorf("Expected 3 pending updates, got %d", len(pendingUpdates))
-		}
-		// First should be the last netmap from batch 1
-		if pendingUpdates[0] != lastNetmapBatch1 {
-			t.Error("First pending update should be last netmap from batch 1")
-		}
-		if pendingUpdates[0].Update.NetworkMap.Serial != 49 {
-			t.Errorf("Expected serial 49, got %d", pendingUpdates[0].Update.NetworkMap.Serial)
-		}
-		// Second should be the control config
-		if pendingUpdates[1] != controlConfig {
-			t.Error("Second pending update should be control config")
-		}
-		// Third should be the last netmap from batch 2
-		if pendingUpdates[2] != lastNetmapBatch2 {
-			t.Error("Third pending update should be last netmap from batch 2")
-		}
-		if pendingUpdates[2].Update.NetworkMap.Serial != 99 {
-			t.Errorf("Expected serial 99, got %d", pendingUpdates[2].Update.NetworkMap.Serial)
-		}
-	case <-time.After(200 * time.Millisecond):
-		t.Error("Timer should have fired")
-	}
-}
--- a/management/internals/shared/grpc/validate_session_test.go
+++ b/management/internals/shared/grpc/validate_session_test.go
@@ -1,304 +0,0 @@
-//go:build integration
-
-package grpc
-
-import (
-	"context"
-	"crypto/ed25519"
-	"crypto/rand"
-	"encoding/base64"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
-	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/sessionkey"
-	"github.com/netbirdio/netbird/management/server/store"
-	"github.com/netbirdio/netbird/management/server/types"
-	"github.com/netbirdio/netbird/proxy/auth"
-	"github.com/netbirdio/netbird/shared/management/proto"
-)
-
-type validateSessionTestSetup struct {
-	proxyService *ProxyServiceServer
-	store        store.Store
-	cleanup      func()
-}
-
-func setupValidateSessionTest(t *testing.T) *validateSessionTestSetup {
-	t.Helper()
-
-	ctx := context.Background()
-	testStore, storeCleanup, err := store.NewTestStoreFromSQL(ctx, "../../../server/testdata/auth_callback.sql", t.TempDir())
-	require.NoError(t, err)
-
-	proxyManager := &testValidateSessionProxyManager{store: testStore}
-	usersManager := &testValidateSessionUsersManager{store: testStore}
-
-	proxyService := NewProxyServiceServer(nil, NewOneTimeTokenStore(time.Minute), ProxyOIDCConfig{}, nil, usersManager)
-	proxyService.SetProxyManager(proxyManager)
-
-	createTestProxies(t, ctx, testStore)
-
-	return &validateSessionTestSetup{
-		proxyService: proxyService,
-		store:        testStore,
-		cleanup:      storeCleanup,
-	}
-}
-
-func createTestProxies(t *testing.T, ctx context.Context, testStore store.Store) {
-	t.Helper()
-
-	pubKey, privKey := generateSessionKeyPair(t)
-
-	testProxy := &reverseproxy.Service{
-		ID:                "testProxyId",
-		AccountID:         "testAccountId",
-		Name:              "Test Proxy",
-		Domain:            "test-proxy.example.com",
-		Enabled:           true,
-		SessionPrivateKey: privKey,
-		SessionPublicKey:  pubKey,
-		Auth: reverseproxy.AuthConfig{
-			BearerAuth: &reverseproxy.BearerAuthConfig{
-				Enabled: true,
-			},
-		},
-	}
-	require.NoError(t, testStore.CreateService(ctx, testProxy))
-
-	restrictedProxy := &reverseproxy.Service{
-		ID:                "restrictedProxyId",
-		AccountID:         "testAccountId",
-		Name:              "Restricted Proxy",
-		Domain:            "restricted-proxy.example.com",
-		Enabled:           true,
-		SessionPrivateKey: privKey,
-		SessionPublicKey:  pubKey,
-		Auth: reverseproxy.AuthConfig{
-			BearerAuth: &reverseproxy.BearerAuthConfig{
-				Enabled:            true,
-				DistributionGroups: []string{"allowedGroupId"},
-			},
-		},
-	}
-	require.NoError(t, testStore.CreateService(ctx, restrictedProxy))
-}
-
-func generateSessionKeyPair(t *testing.T) (string, string) {
-	t.Helper()
-	pub, priv, err := ed25519.GenerateKey(rand.Reader)
-	require.NoError(t, err)
-	return base64.StdEncoding.EncodeToString(pub), base64.StdEncoding.EncodeToString(priv)
-}
-
-func createSessionToken(t *testing.T, privKeyB64, userID, domain string) string {
-	t.Helper()
-	token, err := sessionkey.SignToken(privKeyB64, userID, domain, auth.MethodOIDC, time.Hour)
-	require.NoError(t, err)
-	return token
-}
-
-func TestValidateSession_UserAllowed(t *testing.T) {
-	setup := setupValidateSessionTest(t)
-	defer setup.cleanup()
-
-	proxy, err := setup.store.GetServiceByID(context.Background(), store.LockingStrengthNone, "testAccountId", "testProxyId")
-	require.NoError(t, err)
-
-	token := createSessionToken(t, proxy.SessionPrivateKey, "allowedUserId", "test-proxy.example.com")
-
-	resp, err := setup.proxyService.ValidateSession(context.Background(), &proto.ValidateSessionRequest{
-		Domain:       "test-proxy.example.com",
-		SessionToken: token,
-	})
-
-	require.NoError(t, err)
-	assert.True(t, resp.Valid, "User should be allowed access")
-	assert.Equal(t, "allowedUserId", resp.UserId)
-	assert.Empty(t, resp.DeniedReason)
-}
-
-func TestValidateSession_UserNotInAllowedGroup(t *testing.T) {
-	setup := setupValidateSessionTest(t)
-	defer setup.cleanup()
-
-	proxy, err := setup.store.GetServiceByID(context.Background(), store.LockingStrengthNone, "testAccountId", "restrictedProxyId")
-	require.NoError(t, err)
-
-	token := createSessionToken(t, proxy.SessionPrivateKey, "nonGroupUserId", "restricted-proxy.example.com")
-
-	resp, err := setup.proxyService.ValidateSession(context.Background(), &proto.ValidateSessionRequest{
-		Domain:       "restricted-proxy.example.com",
-		SessionToken: token,
-	})
-
-	require.NoError(t, err)
-	assert.False(t, resp.Valid, "User not in group should be denied")
-	assert.Equal(t, "not_in_group", resp.DeniedReason)
-	assert.Equal(t, "nonGroupUserId", resp.UserId)
-}
-
-func TestValidateSession_UserInDifferentAccount(t *testing.T) {
-	setup := setupValidateSessionTest(t)
-	defer setup.cleanup()
-
-	proxy, err := setup.store.GetServiceByID(context.Background(), store.LockingStrengthNone, "testAccountId", "testProxyId")
-	require.NoError(t, err)
-
-	token := createSessionToken(t, proxy.SessionPrivateKey, "otherAccountUserId", "test-proxy.example.com")
-
-	resp, err := setup.proxyService.ValidateSession(context.Background(), &proto.ValidateSessionRequest{
-		Domain:       "test-proxy.example.com",
-		SessionToken: token,
-	})
-
-	require.NoError(t, err)
-	assert.False(t, resp.Valid, "User in different account should be denied")
-	assert.Equal(t, "account_mismatch", resp.DeniedReason)
-}
-
-func TestValidateSession_UserNotFound(t *testing.T) {
-	setup := setupValidateSessionTest(t)
-	defer setup.cleanup()
-
-	proxy, err := setup.store.GetServiceByID(context.Background(), store.LockingStrengthNone, "testAccountId", "testProxyId")
-	require.NoError(t, err)
-
-	token := createSessionToken(t, proxy.SessionPrivateKey, "nonExistentUserId", "test-proxy.example.com")
-
-	resp, err := setup.proxyService.ValidateSession(context.Background(), &proto.ValidateSessionRequest{
-		Domain:       "test-proxy.example.com",
-		SessionToken: token,
-	})
-
-	require.NoError(t, err)
-	assert.False(t, resp.Valid, "Non-existent user should be denied")
-	assert.Equal(t, "user_not_found", resp.DeniedReason)
-}
-
-func TestValidateSession_ProxyNotFound(t *testing.T) {
-	setup := setupValidateSessionTest(t)
-	defer setup.cleanup()
-
-	proxy, err := setup.store.GetServiceByID(context.Background(), store.LockingStrengthNone, "testAccountId", "testProxyId")
-	require.NoError(t, err)
-
-	token := createSessionToken(t, proxy.SessionPrivateKey, "allowedUserId", "unknown-proxy.example.com")
-
-	resp, err := setup.proxyService.ValidateSession(context.Background(), &proto.ValidateSessionRequest{
-		Domain:       "unknown-proxy.example.com",
-		SessionToken: token,
-	})
-
-	require.NoError(t, err)
-	assert.False(t, resp.Valid, "Unknown proxy should be denied")
-	assert.Equal(t, "proxy_not_found", resp.DeniedReason)
-}
-
-func TestValidateSession_InvalidToken(t *testing.T) {
-	setup := setupValidateSessionTest(t)
-	defer setup.cleanup()
-
-	resp, err := setup.proxyService.ValidateSession(context.Background(), &proto.ValidateSessionRequest{
-		Domain:       "test-proxy.example.com",
-		SessionToken: "invalid-token",
-	})
-
-	require.NoError(t, err)
-	assert.False(t, resp.Valid, "Invalid token should be denied")
-	assert.Equal(t, "invalid_token", resp.DeniedReason)
-}
-
-func TestValidateSession_MissingDomain(t *testing.T) {
-	setup := setupValidateSessionTest(t)
-	defer setup.cleanup()
-
-	resp, err := setup.proxyService.ValidateSession(context.Background(), &proto.ValidateSessionRequest{
-		SessionToken: "some-token",
-	})
-
-	require.NoError(t, err)
-	assert.False(t, resp.Valid)
-	assert.Contains(t, resp.DeniedReason, "missing")
-}
-
-func TestValidateSession_MissingToken(t *testing.T) {
-	setup := setupValidateSessionTest(t)
-	defer setup.cleanup()
-
-	resp, err := setup.proxyService.ValidateSession(context.Background(), &proto.ValidateSessionRequest{
-		Domain: "test-proxy.example.com",
-	})
-
-	require.NoError(t, err)
-	assert.False(t, resp.Valid)
-	assert.Contains(t, resp.DeniedReason, "missing")
-}
-
-type testValidateSessionProxyManager struct {
-	store store.Store
-}
-
-func (m *testValidateSessionProxyManager) GetAllServices(_ context.Context, _, _ string) ([]*reverseproxy.Service, error) {
-	return nil, nil
-}
-
-func (m *testValidateSessionProxyManager) GetService(_ context.Context, _, _, _ string) (*reverseproxy.Service, error) {
-	return nil, nil
-}
-
-func (m *testValidateSessionProxyManager) CreateService(_ context.Context, _, _ string, _ *reverseproxy.Service) (*reverseproxy.Service, error) {
-	return nil, nil
-}
-
-func (m *testValidateSessionProxyManager) UpdateService(_ context.Context, _, _ string, _ *reverseproxy.Service) (*reverseproxy.Service, error) {
-	return nil, nil
-}
-
-func (m *testValidateSessionProxyManager) DeleteService(_ context.Context, _, _, _ string) error {
-	return nil
-}
-
-func (m *testValidateSessionProxyManager) SetCertificateIssuedAt(_ context.Context, _, _ string) error {
-	return nil
-}
-
-func (m *testValidateSessionProxyManager) SetStatus(_ context.Context, _, _ string, _ reverseproxy.ProxyStatus) error {
-	return nil
-}
-
-func (m *testValidateSessionProxyManager) ReloadAllServicesForAccount(_ context.Context, _ string) error {
-	return nil
-}
-
-func (m *testValidateSessionProxyManager) ReloadService(_ context.Context, _, _ string) error {
-	return nil
-}
-
-func (m *testValidateSessionProxyManager) GetGlobalServices(ctx context.Context) ([]*reverseproxy.Service, error) {
-	return m.store.GetServices(ctx, store.LockingStrengthNone)
-}
-
-func (m *testValidateSessionProxyManager) GetServiceByID(ctx context.Context, accountID, proxyID string) (*reverseproxy.Service, error) {
-	return m.store.GetServiceByID(ctx, store.LockingStrengthNone, accountID, proxyID)
-}
-
-func (m *testValidateSessionProxyManager) GetAccountServices(ctx context.Context, accountID string) ([]*reverseproxy.Service, error) {
-	return m.store.GetAccountServices(ctx, store.LockingStrengthNone, accountID)
-}
-
-func (m *testValidateSessionProxyManager) GetServiceIDByTargetID(_ context.Context, _, _ string) (string, error) {
-	return "", nil
-}
-
-type testValidateSessionUsersManager struct {
-	store store.Store
-}
-
-func (m *testValidateSessionUsersManager) GetUser(ctx context.Context, userID string) (*types.User, error) {
-	return m.store.GetUserByUserID(ctx, store.LockingStrengthNone, userID)
-}
--- a/management/server/account.go
+++ b/management/server/account.go
@@ -15,7 +15,6 @@ import (
 	"sync"
 	"time"

-	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
 	"github.com/netbirdio/netbird/management/server/job"
 	"github.com/netbirdio/netbird/shared/auth"

@@ -27,6 +26,7 @@ import (
 	"golang.org/x/exp/maps"

 	nbdns "github.com/netbirdio/netbird/dns"
+	nbdomain "github.com/netbirdio/netbird/shared/management/domain"
 	"github.com/netbirdio/netbird/formatter/hook"
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map"
 	nbconfig "github.com/netbirdio/netbird/management/internals/server/config"
@@ -49,7 +49,6 @@ import (
 	"github.com/netbirdio/netbird/management/server/types"
 	"github.com/netbirdio/netbird/management/server/util"
 	"github.com/netbirdio/netbird/route"
-	nbdomain "github.com/netbirdio/netbird/shared/management/domain"
 	"github.com/netbirdio/netbird/shared/management/status"
 )

@@ -83,9 +82,8 @@ type DefaultAccountManager struct {

 	requestBuffer *AccountRequestBuffer

-	proxyController     port_forwarding.Controller
-	settingsManager     settings.Manager
-	reverseProxyManager reverseproxy.Manager
+	proxyController port_forwarding.Controller
+	settingsManager settings.Manager

 	// config contains the management server configuration
 	config *nbconfig.Config
@@ -115,10 +113,6 @@ type DefaultAccountManager struct {

 var _ account.Manager = (*DefaultAccountManager)(nil)

-func (am *DefaultAccountManager) SetServiceManager(serviceManager reverseproxy.Manager) {
-	am.reverseProxyManager = serviceManager
-}
-
 func isUniqueConstraintError(err error) bool {
 	switch {
 	case strings.Contains(err.Error(), "(SQLSTATE 23505)"),
@@ -327,9 +321,6 @@ func (am *DefaultAccountManager) UpdateAccountSettings(ctx context.Context, acco
 			if err = am.reallocateAccountPeerIPs(ctx, transaction, accountID, newSettings.NetworkRange); err != nil {
 				return err
 			}
-			if err = am.reverseProxyManager.ReloadAllServicesForAccount(ctx, accountID); err != nil {
-				log.WithContext(ctx).Warnf("failed to reload all services for account %s: %v", accountID, err)
-			}
 			updateAccountPeers = true
 		}

@@ -804,19 +795,6 @@ func IsEmbeddedIdp(i idp.Manager) bool {
 	return ok
 }

-// IsLocalAuthDisabled checks if local (email/password) authentication is disabled.
-// Returns true only when using embedded IDP with local auth disabled in config.
-func IsLocalAuthDisabled(ctx context.Context, i idp.Manager) bool {
-	if isNil(i) {
-		return false
-	}
-	embeddedIdp, ok := i.(*idp.EmbeddedIdPManager)
-	if !ok {
-		return false
-	}
-	return embeddedIdp.IsLocalAuthDisabled()
-}
-
 // addAccountIDToIDPAppMeta update user's  app metadata in idp manager
 func (am *DefaultAccountManager) addAccountIDToIDPAppMeta(ctx context.Context, userID string, accountID string) error {
 	if !isNil(am.idpManager) && !IsEmbeddedIdp(am.idpManager) {
@@ -1679,13 +1657,13 @@ func domainIsUpToDate(domain string, domainCategory string, userAuth auth.UserAu
 	return domainCategory == types.PrivateCategory || userAuth.DomainCategory != types.PrivateCategory || domain != userAuth.Domain
 }

-func (am *DefaultAccountManager) SyncAndMarkPeer(ctx context.Context, accountID string, peerPubKey string, meta nbpeer.PeerSystemMeta, realIP net.IP, syncTime time.Time) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, int64, error) {
+func (am *DefaultAccountManager) SyncAndMarkPeer(ctx context.Context, accountID string, peerPubKey string, meta nbpeer.PeerSystemMeta, realIP net.IP) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, int64, error) {
 	peer, netMap, postureChecks, dnsfwdPort, err := am.SyncPeer(ctx, types.PeerSync{WireGuardPubKey: peerPubKey, Meta: meta}, accountID)
 	if err != nil {
 		return nil, nil, nil, 0, fmt.Errorf("error syncing peer: %w", err)
 	}

-	err = am.MarkPeerConnected(ctx, peerPubKey, true, realIP, accountID, syncTime)
+	err = am.MarkPeerConnected(ctx, peerPubKey, true, realIP, accountID)
 	if err != nil {
 		log.WithContext(ctx).Warnf("failed marking peer as connected %s %v", peerPubKey, err)
 	}
@@ -1693,20 +1671,8 @@ func (am *DefaultAccountManager) SyncAndMarkPeer(ctx context.Context, accountID
 	return peer, netMap, postureChecks, dnsfwdPort, nil
 }

-func (am *DefaultAccountManager) OnPeerDisconnected(ctx context.Context, accountID string, peerPubKey string, streamStartTime time.Time) error {
-	peer, err := am.Store.GetPeerByPeerPubKey(ctx, store.LockingStrengthNone, peerPubKey)
-	if err != nil {
-		log.WithContext(ctx).Warnf("failed to get peer %s for disconnect check: %v", peerPubKey, err)
-		return nil
-	}
-
-	if peer.Status.LastSeen.After(streamStartTime) {
-		log.WithContext(ctx).Tracef("peer %s has newer activity (lastSeen=%s > streamStart=%s), skipping disconnect",
-			peerPubKey, peer.Status.LastSeen.Format(time.RFC3339), streamStartTime.Format(time.RFC3339))
-		return nil
-	}
-
-	err = am.MarkPeerConnected(ctx, peerPubKey, false, nil, accountID, time.Now().UTC())
+func (am *DefaultAccountManager) OnPeerDisconnected(ctx context.Context, accountID string, peerPubKey string) error {
+	err := am.MarkPeerConnected(ctx, peerPubKey, false, nil, accountID)
 	if err != nil {
 		log.WithContext(ctx).Warnf("failed marking peer as disconnected %s %v", peerPubKey, err)
 	}
--- a/management/server/account/manager.go
+++ b/management/server/account/manager.go
@@ -6,7 +6,6 @@ import (
 	"net/netip"
 	"time"

-	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
 	"github.com/netbirdio/netbird/shared/auth"

 	nbdns "github.com/netbirdio/netbird/dns"
@@ -59,7 +58,7 @@ type Manager interface {
 	GetUserFromUserAuth(ctx context.Context, userAuth auth.UserAuth) (*types.User, error)
 	ListUsers(ctx context.Context, accountID string) ([]*types.User, error)
 	GetPeers(ctx context.Context, accountID, userID, nameFilter, ipFilter string) ([]*nbpeer.Peer, error)
-	MarkPeerConnected(ctx context.Context, peerKey string, connected bool, realIP net.IP, accountID string, syncTime time.Time) error
+	MarkPeerConnected(ctx context.Context, peerKey string, connected bool, realIP net.IP, accountID string) error
 	DeletePeer(ctx context.Context, accountID, peerID, userID string) error
 	UpdatePeer(ctx context.Context, accountID, userID string, peer *nbpeer.Peer) (*nbpeer.Peer, error)
 	UpdatePeerIP(ctx context.Context, accountID, userID, peerID string, newIP netip.Addr) error
@@ -115,8 +114,8 @@ type Manager interface {
 	UpdateIntegratedValidator(ctx context.Context, accountID, userID, validator string, groups []string) error
 	GroupValidation(ctx context.Context, accountId string, groups []string) (bool, error)
 	GetValidatedPeers(ctx context.Context, accountID string) (map[string]struct{}, map[string]string, error)
-	SyncAndMarkPeer(ctx context.Context, accountID string, peerPubKey string, meta nbpeer.PeerSystemMeta, realIP net.IP, syncTime time.Time) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, int64, error)
-	OnPeerDisconnected(ctx context.Context, accountID string, peerPubKey string, streamStartTime time.Time) error
+	SyncAndMarkPeer(ctx context.Context, accountID string, peerPubKey string, meta nbpeer.PeerSystemMeta, realIP net.IP) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, int64, error)
+	OnPeerDisconnected(ctx context.Context, accountID string, peerPubKey string) error
 	SyncPeerMeta(ctx context.Context, peerPubKey string, meta nbpeer.PeerSystemMeta) error
 	FindExistingPostureCheck(accountID string, checks *posture.ChecksDefinition) (*posture.Checks, error)
 	GetAccountIDForPeerKey(ctx context.Context, peerKey string) (string, error)
@@ -140,5 +139,4 @@ type Manager interface {
 	CreatePeerJob(ctx context.Context, accountID, peerID, userID string, job *types.Job) error
 	GetAllPeerJobs(ctx context.Context, accountID, userID, peerID string) ([]*types.Job, error)
 	GetPeerJobByID(ctx context.Context, accountID, userID, peerID, jobID string) (*types.Job, error)
-	SetServiceManager(serviceManager reverseproxy.Manager)
 }
--- a/management/server/account_test.go
+++ b/management/server/account_test.go
@@ -1881,7 +1881,7 @@ func TestDefaultAccountManager_UpdatePeer_PeerLoginExpiration(t *testing.T) {
 	accountID, err := manager.GetAccountIDByUserID(context.Background(), auth.UserAuth{UserId: userID})
 	require.NoError(t, err, "unable to get the account")

-	err = manager.MarkPeerConnected(context.Background(), key.PublicKey().String(), true, nil, accountID, time.Now().UTC())
+	err = manager.MarkPeerConnected(context.Background(), key.PublicKey().String(), true, nil, accountID)
 	require.NoError(t, err, "unable to mark peer connected")

 	_, err = manager.UpdateAccountSettings(context.Background(), accountID, userID, &types.Settings{
@@ -1952,7 +1952,7 @@ func TestDefaultAccountManager_MarkPeerConnected_PeerLoginExpiration(t *testing.
 	require.NoError(t, err, "unable to get the account")

 	// when we mark peer as connected, the peer login expiration routine should trigger
-	err = manager.MarkPeerConnected(context.Background(), key.PublicKey().String(), true, nil, accountID, time.Now().UTC())
+	err = manager.MarkPeerConnected(context.Background(), key.PublicKey().String(), true, nil, accountID)
 	require.NoError(t, err, "unable to mark peer connected")

 	failed := waitTimeout(wg, time.Second)
@@ -1961,82 +1961,6 @@ func TestDefaultAccountManager_MarkPeerConnected_PeerLoginExpiration(t *testing.
 	}
 }

-func TestDefaultAccountManager_OnPeerDisconnected_LastSeenCheck(t *testing.T) {
-	manager, _, err := createManager(t)
-	require.NoError(t, err, "unable to create account manager")
-
-	accountID, err := manager.GetAccountIDByUserID(context.Background(), auth.UserAuth{UserId: userID})
-	require.NoError(t, err, "unable to create an account")
-
-	key, err := wgtypes.GenerateKey()
-	require.NoError(t, err, "unable to generate WireGuard key")
-	peerPubKey := key.PublicKey().String()
-
-	_, _, _, err = manager.AddPeer(context.Background(), "", "", userID, &nbpeer.Peer{
-		Key:  peerPubKey,
-		Meta: nbpeer.PeerSystemMeta{Hostname: "test-peer"},
-	}, false)
-	require.NoError(t, err, "unable to add peer")
-
-	t.Run("disconnect peer when streamStartTime is after LastSeen", func(t *testing.T) {
-		err = manager.MarkPeerConnected(context.Background(), peerPubKey, true, nil, accountID, time.Now().UTC())
-		require.NoError(t, err, "unable to mark peer connected")
-
-		peer, err := manager.Store.GetPeerByPeerPubKey(context.Background(), store.LockingStrengthNone, peerPubKey)
-		require.NoError(t, err, "unable to get peer")
-		require.True(t, peer.Status.Connected, "peer should be connected")
-
-		streamStartTime := time.Now().UTC()
-
-		err = manager.OnPeerDisconnected(context.Background(), accountID, peerPubKey, streamStartTime)
-		require.NoError(t, err)
-
-		peer, err = manager.Store.GetPeerByPeerPubKey(context.Background(), store.LockingStrengthNone, peerPubKey)
-		require.NoError(t, err)
-		require.False(t, peer.Status.Connected, "peer should be disconnected")
-	})
-
-	t.Run("skip disconnect when LastSeen is after streamStartTime (zombie stream protection)", func(t *testing.T) {
-		err = manager.MarkPeerConnected(context.Background(), peerPubKey, true, nil, accountID, time.Now().UTC())
-		require.NoError(t, err, "unable to mark peer connected")
-
-		peer, err := manager.Store.GetPeerByPeerPubKey(context.Background(), store.LockingStrengthNone, peerPubKey)
-		require.NoError(t, err)
-		require.True(t, peer.Status.Connected, "peer should be connected")
-
-		streamStartTime := peer.Status.LastSeen.Add(-1 * time.Hour)
-
-		err = manager.OnPeerDisconnected(context.Background(), accountID, peerPubKey, streamStartTime)
-		require.NoError(t, err)
-
-		peer, err = manager.Store.GetPeerByPeerPubKey(context.Background(), store.LockingStrengthNone, peerPubKey)
-		require.NoError(t, err)
-		require.True(t, peer.Status.Connected,
-			"peer should remain connected because LastSeen > streamStartTime (zombie stream protection)")
-	})
-
-	t.Run("skip stale connect when peer already has newer LastSeen (blocked goroutine protection)", func(t *testing.T) {
-		node2SyncTime := time.Now().UTC()
-		err = manager.MarkPeerConnected(context.Background(), peerPubKey, true, nil, accountID, node2SyncTime)
-		require.NoError(t, err, "node 2 should connect peer")
-
-		peer, err := manager.Store.GetPeerByPeerPubKey(context.Background(), store.LockingStrengthNone, peerPubKey)
-		require.NoError(t, err)
-		require.True(t, peer.Status.Connected, "peer should be connected")
-		require.Equal(t, node2SyncTime.Unix(), peer.Status.LastSeen.Unix(), "LastSeen should be node2SyncTime")
-
-		node1StaleSyncTime := node2SyncTime.Add(-1 * time.Minute)
-		err = manager.MarkPeerConnected(context.Background(), peerPubKey, true, nil, accountID, node1StaleSyncTime)
-		require.NoError(t, err, "stale connect should not return error")
-
-		peer, err = manager.Store.GetPeerByPeerPubKey(context.Background(), store.LockingStrengthNone, peerPubKey)
-		require.NoError(t, err)
-		require.True(t, peer.Status.Connected, "peer should still be connected")
-		require.Equal(t, node2SyncTime.Unix(), peer.Status.LastSeen.Unix(),
-			"LastSeen should NOT be overwritten by stale syncTime from blocked goroutine")
-	})
-}
-
 func TestDefaultAccountManager_UpdateAccountSettings_PeerLoginExpiration(t *testing.T) {
 	manager, _, err := createManager(t)
 	require.NoError(t, err, "unable to create account manager")
@@ -2059,7 +1983,7 @@ func TestDefaultAccountManager_UpdateAccountSettings_PeerLoginExpiration(t *test
 	account, err := manager.Store.GetAccount(context.Background(), accountID)
 	require.NoError(t, err, "unable to get the account")

-	err = manager.MarkPeerConnected(context.Background(), key.PublicKey().String(), true, nil, accountID, time.Now().UTC())
+	err = manager.MarkPeerConnected(context.Background(), key.PublicKey().String(), true, nil, accountID)
 	require.NoError(t, err, "unable to mark peer connected")

 	wg := &sync.WaitGroup{}
@@ -3252,7 +3176,7 @@ func BenchmarkSyncAndMarkPeer(b *testing.B) {
 			b.ResetTimer()
 			start := time.Now()
 			for i := 0; i < b.N; i++ {
-				_, _, _, _, err := manager.SyncAndMarkPeer(context.Background(), account.Id, account.Peers["peer-1"].Key, nbpeer.PeerSystemMeta{Hostname: strconv.Itoa(i)}, net.IP{1, 1, 1, 1}, time.Now().UTC())
+				_, _, _, _, err := manager.SyncAndMarkPeer(context.Background(), account.Id, account.Peers["peer-1"].Key, nbpeer.PeerSystemMeta{Hostname: strconv.Itoa(i)}, net.IP{1, 1, 1, 1})
 				assert.NoError(b, err)
 			}

--- a/management/server/activity/codes.go
+++ b/management/server/activity/codes.go
@@ -204,10 +204,6 @@ const (
 	UserInviteLinkRegenerated Activity = 106
 	UserInviteLinkDeleted     Activity = 107

-	ServiceCreated Activity = 108
-	ServiceUpdated Activity = 109
-	ServiceDeleted Activity = 110
-
 	AccountDeleted Activity = 99999
 )

@@ -341,10 +337,6 @@ var activityMap = map[Activity]Code{
 	UserInviteLinkAccepted:    {"User invite link accepted", "user.invite.link.accept"},
 	UserInviteLinkRegenerated: {"User invite link regenerated", "user.invite.link.regenerate"},
 	UserInviteLinkDeleted:     {"User invite link deleted", "user.invite.link.delete"},
-
-	ServiceCreated: {"Service created", "service.create"},
-	ServiceUpdated: {"Service updated", "service.update"},
-	ServiceDeleted: {"Service deleted", "service.delete"},
 }

 // StringCode returns a string code of the activity
--- a/management/server/http/handler.go
+++ b/management/server/http/handler.go
@@ -9,17 +9,10 @@ import (
 	"time"

 	"github.com/gorilla/mux"
-	"github.com/netbirdio/netbird/management/server/types"
+	idpmanager "github.com/netbirdio/netbird/management/server/idp"
 	"github.com/rs/cors"
 	log "github.com/sirupsen/logrus"

-	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
-	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs"
-	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/domain"
-	reverseproxymanager "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/manager"
-	nbgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc"
-	idpmanager "github.com/netbirdio/netbird/management/server/idp"
-
 	"github.com/netbirdio/management-integrations/integrations"
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map"
 	"github.com/netbirdio/netbird/management/internals/modules/zones"
@@ -45,7 +38,6 @@ import (
 	"github.com/netbirdio/netbird/management/server/http/handlers/networks"
 	"github.com/netbirdio/netbird/management/server/http/handlers/peers"
 	"github.com/netbirdio/netbird/management/server/http/handlers/policies"
-	"github.com/netbirdio/netbird/management/server/http/handlers/proxy"
 	"github.com/netbirdio/netbird/management/server/http/handlers/routes"
 	"github.com/netbirdio/netbird/management/server/http/handlers/setup_keys"
 	"github.com/netbirdio/netbird/management/server/http/handlers/users"
@@ -67,7 +59,7 @@ const (
 )

 // NewAPIHandler creates the Management service HTTP API handler registering all the available endpoints.
-func NewAPIHandler(ctx context.Context, accountManager account.Manager, networksManager nbnetworks.Manager, resourceManager resources.Manager, routerManager routers.Manager, groupsManager nbgroups.Manager, LocationManager geolocation.Geolocation, authManager auth.Manager, appMetrics telemetry.AppMetrics, integratedValidator integrated_validator.IntegratedValidator, proxyController port_forwarding.Controller, permissionsManager permissions.Manager, peersManager nbpeers.Manager, settingsManager settings.Manager, zManager zones.Manager, rManager records.Manager, networkMapController network_map.Controller, idpManager idpmanager.Manager, reverseProxyManager reverseproxy.Manager, reverseProxyDomainManager *domain.Manager, reverseProxyAccessLogsManager accesslogs.Manager, proxyGRPCServer *nbgrpc.ProxyServiceServer) (http.Handler, error) {
+func NewAPIHandler(ctx context.Context, accountManager account.Manager, networksManager nbnetworks.Manager, resourceManager resources.Manager, routerManager routers.Manager, groupsManager nbgroups.Manager, LocationManager geolocation.Geolocation, authManager auth.Manager, appMetrics telemetry.AppMetrics, integratedValidator integrated_validator.IntegratedValidator, proxyController port_forwarding.Controller, permissionsManager permissions.Manager, peersManager nbpeers.Manager, settingsManager settings.Manager, zManager zones.Manager, rManager records.Manager, networkMapController network_map.Controller, idpManager idpmanager.Manager) (http.Handler, error) {

 	// Register bypass paths for unauthenticated endpoints
 	if err := bypass.AddBypassPath("/api/instance"); err != nil {
@@ -83,10 +75,6 @@ func NewAPIHandler(ctx context.Context, accountManager account.Manager, networks
 	if err := bypass.AddBypassPath("/api/users/invites/nbi_*/accept"); err != nil {
 		return nil, fmt.Errorf("failed to add bypass path: %w", err)
 	}
-	// OAuth callback for proxy authentication
-	if err := bypass.AddBypassPath(types.ProxyCallbackEndpointFull); err != nil {
-		return nil, fmt.Errorf("failed to add bypass path: %w", err)
-	}

 	var rateLimitingConfig *middleware.RateLimiterConfig
 	if os.Getenv(rateLimitingEnabledKey) == "true" {
@@ -141,15 +129,15 @@ func NewAPIHandler(ctx context.Context, accountManager account.Manager, networks
 		return nil, fmt.Errorf("register integrations endpoints: %w", err)
 	}

-	// Check if embedded IdP is enabled for instance manager
+	// Check if embedded IdP is enabled
 	embeddedIdP, embeddedIdpEnabled := idpManager.(*idpmanager.EmbeddedIdPManager)
 	instanceManager, err := nbinstance.NewManager(ctx, accountManager.GetStore(), embeddedIdP)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create instance manager: %w", err)
 	}

-	accounts.AddEndpoints(accountManager, settingsManager, router)
-	peers.AddEndpoints(accountManager, router, networkMapController, permissionsManager)
+	accounts.AddEndpoints(accountManager, settingsManager, embeddedIdpEnabled, router)
+	peers.AddEndpoints(accountManager, router, networkMapController)
 	users.AddEndpoints(accountManager, router)
 	users.AddInvitesEndpoints(accountManager, router)
 	users.AddPublicInvitesEndpoints(accountManager, router)
@@ -167,15 +155,6 @@ func NewAPIHandler(ctx context.Context, accountManager account.Manager, networks
 	idp.AddEndpoints(accountManager, router)
 	instance.AddEndpoints(instanceManager, router)
 	instance.AddVersionEndpoint(instanceManager, router)
-	if reverseProxyManager != nil && reverseProxyDomainManager != nil {
-		reverseproxymanager.RegisterEndpoints(reverseProxyManager, *reverseProxyDomainManager, reverseProxyAccessLogsManager, router)
-	}
-
-	// Register OAuth callback handler for proxy authentication
-	if proxyGRPCServer != nil {
-		oauthHandler := proxy.NewAuthCallbackHandler(proxyGRPCServer)
-		oauthHandler.RegisterEndpoints(router)
-	}

 	// Mount embedded IdP handler at /oauth2 path if configured
 	if embeddedIdpEnabled {
--- a/management/server/http/handlers/accounts/accounts_handler.go
+++ b/management/server/http/handlers/accounts/accounts_handler.go
@@ -36,22 +36,24 @@ const (

 // handler is a handler that handles the server.Account HTTP endpoints
 type handler struct {
-	accountManager  account.Manager
-	settingsManager settings.Manager
+	accountManager     account.Manager
+	settingsManager    settings.Manager
+	embeddedIdpEnabled bool
 }

-func AddEndpoints(accountManager account.Manager, settingsManager settings.Manager, router *mux.Router) {
-	accountsHandler := newHandler(accountManager, settingsManager)
+func AddEndpoints(accountManager account.Manager, settingsManager settings.Manager, embeddedIdpEnabled bool, router *mux.Router) {
+	accountsHandler := newHandler(accountManager, settingsManager, embeddedIdpEnabled)
 	router.HandleFunc("/accounts/{accountId}", accountsHandler.updateAccount).Methods("PUT", "OPTIONS")
 	router.HandleFunc("/accounts/{accountId}", accountsHandler.deleteAccount).Methods("DELETE", "OPTIONS")
 	router.HandleFunc("/accounts", accountsHandler.getAllAccounts).Methods("GET", "OPTIONS")
 }

 // newHandler creates a new handler HTTP handler
-func newHandler(accountManager account.Manager, settingsManager settings.Manager) *handler {
+func newHandler(accountManager account.Manager, settingsManager settings.Manager, embeddedIdpEnabled bool) *handler {
 	return &handler{
-		accountManager:  accountManager,
-		settingsManager: settingsManager,
+		accountManager:     accountManager,
+		settingsManager:    settingsManager,
+		embeddedIdpEnabled: embeddedIdpEnabled,
 	}
 }

@@ -163,7 +165,7 @@ func (h *handler) getAllAccounts(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	resp := toAccountResponse(accountID, settings, meta, onboarding)
+	resp := toAccountResponse(accountID, settings, meta, onboarding, h.embeddedIdpEnabled)
 	util.WriteJSONObject(r.Context(), w, []*api.Account{resp})
 }

@@ -290,7 +292,7 @@ func (h *handler) updateAccount(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	resp := toAccountResponse(accountID, updatedSettings, meta, updatedOnboarding)
+	resp := toAccountResponse(accountID, updatedSettings, meta, updatedOnboarding, h.embeddedIdpEnabled)

 	util.WriteJSONObject(r.Context(), w, &resp)
 }
@@ -319,7 +321,7 @@ func (h *handler) deleteAccount(w http.ResponseWriter, r *http.Request) {
 	util.WriteJSONObject(r.Context(), w, util.EmptyObject{})
 }

-func toAccountResponse(accountID string, settings *types.Settings, meta *types.AccountMeta, onboarding *types.AccountOnboarding) *api.Account {
+func toAccountResponse(accountID string, settings *types.Settings, meta *types.AccountMeta, onboarding *types.AccountOnboarding, embeddedIdpEnabled bool) *api.Account {
 	jwtAllowGroups := settings.JWTAllowGroups
 	if jwtAllowGroups == nil {
 		jwtAllowGroups = []string{}
@@ -339,8 +341,7 @@ func toAccountResponse(accountID string, settings *types.Settings, meta *types.A
 		LazyConnectionEnabled:           &settings.LazyConnectionEnabled,
 		DnsDomain:                       &settings.DNSDomain,
 		AutoUpdateVersion:               &settings.AutoUpdateVersion,
-		EmbeddedIdpEnabled:              &settings.EmbeddedIdpEnabled,
-		LocalAuthDisabled:               &settings.LocalAuthDisabled,
+		EmbeddedIdpEnabled:              &embeddedIdpEnabled,
 	}

 	if settings.NetworkRange.IsValid() {
--- a/management/server/http/handlers/accounts/accounts_handler_test.go
+++ b/management/server/http/handlers/accounts/accounts_handler_test.go
@@ -33,6 +33,7 @@ func initAccountsTestData(t *testing.T, account *types.Account) *handler {
 		AnyTimes()

 	return &handler{
+		embeddedIdpEnabled: false,
 		accountManager: &mock_server.MockAccountManager{
 			GetAccountSettingsFunc: func(ctx context.Context, accountID string, userID string) (*types.Settings, error) {
 				return account.Settings, nil
@@ -123,7 +124,6 @@ func TestAccounts_AccountsHandler(t *testing.T) {
 				DnsDomain:                       sr(""),
 				AutoUpdateVersion:               sr(""),
 				EmbeddedIdpEnabled:              br(false),
-				LocalAuthDisabled:               br(false),
 			},
 			expectedArray: true,
 			expectedID:    accountID,
@@ -148,7 +148,6 @@ func TestAccounts_AccountsHandler(t *testing.T) {
 				DnsDomain:                       sr(""),
 				AutoUpdateVersion:               sr(""),
 				EmbeddedIdpEnabled:              br(false),
-				LocalAuthDisabled:               br(false),
 			},
 			expectedArray: false,
 			expectedID:    accountID,
@@ -173,7 +172,6 @@ func TestAccounts_AccountsHandler(t *testing.T) {
 				DnsDomain:                       sr(""),
 				AutoUpdateVersion:               sr("latest"),
 				EmbeddedIdpEnabled:              br(false),
-				LocalAuthDisabled:               br(false),
 			},
 			expectedArray: false,
 			expectedID:    accountID,
@@ -198,7 +196,6 @@ func TestAccounts_AccountsHandler(t *testing.T) {
 				DnsDomain:                       sr(""),
 				AutoUpdateVersion:               sr(""),
 				EmbeddedIdpEnabled:              br(false),
-				LocalAuthDisabled:               br(false),
 			},
 			expectedArray: false,
 			expectedID:    accountID,
@@ -223,7 +220,6 @@ func TestAccounts_AccountsHandler(t *testing.T) {
 				DnsDomain:                       sr(""),
 				AutoUpdateVersion:               sr(""),
 				EmbeddedIdpEnabled:              br(false),
-				LocalAuthDisabled:               br(false),
 			},
 			expectedArray: false,
 			expectedID:    accountID,
@@ -248,7 +244,6 @@ func TestAccounts_AccountsHandler(t *testing.T) {
 				DnsDomain:                       sr(""),
 				AutoUpdateVersion:               sr(""),
 				EmbeddedIdpEnabled:              br(false),
-				LocalAuthDisabled:               br(false),
 			},
 			expectedArray: false,
 			expectedID:    accountID,
--- a/management/server/http/handlers/instance/instance_handler.go
+++ b/management/server/http/handlers/instance/instance_handler.go
@@ -46,7 +46,7 @@ func (h *handler) getInstanceStatus(w http.ResponseWriter, r *http.Request) {
 		util.WriteErrorResponse("failed to check instance status", http.StatusInternalServerError, w)
 		return
 	}
-	log.WithContext(r.Context()).Infof("instance setup status: %v", setupRequired)
+
 	util.WriteJSONObject(r.Context(), w, api.InstanceStatus{
 		SetupRequired: setupRequired,
 	})
--- a/management/server/http/handlers/peers/peers_handler.go
+++ b/management/server/http/handlers/peers/peers_handler.go
@@ -17,7 +17,6 @@ import (
 	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/management/server/groups"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
-	"github.com/netbirdio/netbird/management/server/permissions"
 	"github.com/netbirdio/netbird/management/server/types"
 	"github.com/netbirdio/netbird/shared/management/http/api"
 	"github.com/netbirdio/netbird/shared/management/http/util"
@@ -27,12 +26,11 @@ import (
 // Handler is a handler that returns peers of the account
 type Handler struct {
 	accountManager       account.Manager
-	permissionsManager   permissions.Manager
 	networkMapController network_map.Controller
 }

-func AddEndpoints(accountManager account.Manager, router *mux.Router, networkMapController network_map.Controller, permissionsManager permissions.Manager) {
-	peersHandler := NewHandler(accountManager, networkMapController, permissionsManager)
+func AddEndpoints(accountManager account.Manager, router *mux.Router, networkMapController network_map.Controller) {
+	peersHandler := NewHandler(accountManager, networkMapController)
 	router.HandleFunc("/peers", peersHandler.GetAllPeers).Methods("GET", "OPTIONS")
 	router.HandleFunc("/peers/{peerId}", peersHandler.HandlePeer).
 		Methods("GET", "PUT", "DELETE", "OPTIONS")
@@ -44,11 +42,10 @@ func AddEndpoints(accountManager account.Manager, router *mux.Router, networkMap
 }

 // NewHandler creates a new peers Handler
-func NewHandler(accountManager account.Manager, networkMapController network_map.Controller, permissionsManager permissions.Manager) *Handler {
+func NewHandler(accountManager account.Manager, networkMapController network_map.Controller) *Handler {
 	return &Handler{
 		accountManager:       accountManager,
 		networkMapController: networkMapController,
-		permissionsManager:   permissionsManager,
 	}
 }

@@ -362,19 +359,13 @@ func (h *Handler) GetAccessiblePeers(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	user, err := h.accountManager.GetUserByID(r.Context(), userID)
+	account, err := h.accountManager.GetAccountByID(r.Context(), accountID, activity.SystemInitiator)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}

-	err = h.permissionsManager.ValidateAccountAccess(r.Context(), accountID, user, false)
-	if err != nil {
-		util.WriteError(r.Context(), status.NewPermissionDeniedError(), w)
-		return
-	}
-
-	account, err := h.accountManager.GetAccountByID(r.Context(), accountID, activity.SystemInitiator)
+	user, err := h.accountManager.GetUserByID(r.Context(), userID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
--- a/management/server/http/handlers/peers/peers_handler_test.go
+++ b/management/server/http/handlers/peers/peers_handler_test.go
@@ -13,15 +13,13 @@ import (
 	"testing"
 	"time"

-	"github.com/golang/mock/gomock"
 	"github.com/gorilla/mux"
-	ugomock "go.uber.org/mock/gomock"
+	"go.uber.org/mock/gomock"
 	"golang.org/x/exp/maps"

 	"github.com/netbirdio/netbird/management/internals/controllers/network_map"
 	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
-	"github.com/netbirdio/netbird/management/server/permissions"
 	"github.com/netbirdio/netbird/management/server/types"
 	"github.com/netbirdio/netbird/shared/auth"
 	"github.com/netbirdio/netbird/shared/management/http/api"
@@ -104,7 +102,7 @@ func initTestMetaData(t *testing.T, peers ...*nbpeer.Peer) *Handler {
 		},
 	}

-	ctrl := ugomock.NewController(t)
+	ctrl := gomock.NewController(t)

 	networkMapController := network_map.NewMockController(ctrl)
 	networkMapController.EXPECT().
@@ -112,10 +110,6 @@ func initTestMetaData(t *testing.T, peers ...*nbpeer.Peer) *Handler {
 		Return("domain").
 		AnyTimes()

-	ctrl2 := gomock.NewController(t)
-	permissionsManager := permissions.NewMockManager(ctrl2)
-	permissionsManager.EXPECT().ValidateAccountAccess(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).AnyTimes()
-
 	return &Handler{
 		accountManager: &mock_server.MockAccountManager{
 			UpdatePeerFunc: func(_ context.Context, accountID, userID string, update *nbpeer.Peer) (*nbpeer.Peer, error) {
@@ -205,7 +199,6 @@ func initTestMetaData(t *testing.T, peers ...*nbpeer.Peer) *Handler {
 			},
 		},
 		networkMapController: networkMapController,
-		permissionsManager:   permissionsManager,
 	}
 }

--- a/management/server/http/handlers/proxy/auth.go
+++ b/management/server/http/handlers/proxy/auth.go
@@ -1,171 +0,0 @@
-package proxy
-
-import (
-	"context"
-	"net"
-	"net/http"
-	"net/url"
-	"strings"
-	"time"
-
-	"github.com/coreos/go-oidc/v3/oidc"
-	"github.com/gorilla/mux"
-	log "github.com/sirupsen/logrus"
-	"golang.org/x/oauth2"
-
-	nbgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc"
-	"github.com/netbirdio/netbird/management/server/http/middleware"
-	"github.com/netbirdio/netbird/management/server/types"
-	"github.com/netbirdio/netbird/proxy/auth"
-)
-
-// AuthCallbackHandler handles OAuth callbacks for proxy authentication.
-type AuthCallbackHandler struct {
-	proxyService *nbgrpc.ProxyServiceServer
-	rateLimiter  *middleware.APIRateLimiter
-}
-
-// NewAuthCallbackHandler creates a new OAuth callback handler.
-func NewAuthCallbackHandler(proxyService *nbgrpc.ProxyServiceServer) *AuthCallbackHandler {
-	rateLimiterConfig := &middleware.RateLimiterConfig{
-		RequestsPerMinute: 10,
-		Burst:             15,
-		CleanupInterval:   5 * time.Minute,
-		LimiterTTL:        10 * time.Minute,
-	}
-
-	return &AuthCallbackHandler{
-		proxyService: proxyService,
-		rateLimiter:  middleware.NewAPIRateLimiter(rateLimiterConfig),
-	}
-}
-
-// RegisterEndpoints registers the OAuth callback endpoint.
-func (h *AuthCallbackHandler) RegisterEndpoints(router *mux.Router) {
-	router.HandleFunc(types.ProxyCallbackEndpoint, h.handleCallback).Methods(http.MethodGet)
-}
-
-func (h *AuthCallbackHandler) handleCallback(w http.ResponseWriter, r *http.Request) {
-	clientIP := getClientIP(r)
-	if !h.rateLimiter.Allow(clientIP) {
-		log.WithField("client_ip", clientIP).Warn("OAuth callback rate limit exceeded")
-		http.Error(w, "Too many requests. Please try again later.", http.StatusTooManyRequests)
-		return
-	}
-
-	state := r.URL.Query().Get("state")
-
-	codeVerifier, originalURL, err := h.proxyService.ValidateState(state)
-	if err != nil {
-		log.WithError(err).Error("OAuth callback state validation failed")
-		http.Error(w, "Invalid state parameter", http.StatusBadRequest)
-		return
-	}
-
-	redirectURL, err := url.Parse(originalURL)
-	if err != nil {
-		log.WithError(err).Error("Failed to parse redirect URL")
-		http.Error(w, "Invalid redirect URL", http.StatusBadRequest)
-		return
-	}
-
-	oidcConfig := h.proxyService.GetOIDCConfig()
-
-	provider, err := oidc.NewProvider(r.Context(), oidcConfig.Issuer)
-	if err != nil {
-		log.WithError(err).Error("Failed to create OIDC provider")
-		http.Error(w, "Failed to create OIDC provider", http.StatusInternalServerError)
-		return
-	}
-
-	token, err := (&oauth2.Config{
-		ClientID:    oidcConfig.ClientID,
-		Endpoint:    provider.Endpoint(),
-		RedirectURL: oidcConfig.CallbackURL,
-	}).Exchange(r.Context(), r.URL.Query().Get("code"), oauth2.VerifierOption(codeVerifier))
-	if err != nil {
-		log.WithError(err).Error("Failed to exchange code for token")
-		http.Error(w, "Failed to exchange code for token", http.StatusInternalServerError)
-		return
-	}
-
-	userID := extractUserIDFromToken(r.Context(), provider, oidcConfig, token)
-	if userID == "" {
-		log.Error("Failed to extract user ID from OIDC token")
-		http.Error(w, "Failed to validate token", http.StatusUnauthorized)
-		return
-	}
-
-	// Group validation is performed by the proxy via ValidateSession gRPC call.
-	// This allows the proxy to show 403 pages directly without redirect dance.
-
-	sessionToken, err := h.proxyService.GenerateSessionToken(r.Context(), redirectURL.Hostname(), userID, auth.MethodOIDC)
-	if err != nil {
-		log.WithError(err).Error("Failed to create session token")
-		redirectURL.Scheme = "https"
-		query := redirectURL.Query()
-		query.Set("error", "access_denied")
-		query.Set("error_description", "Service configuration error")
-		redirectURL.RawQuery = query.Encode()
-		http.Redirect(w, r, redirectURL.String(), http.StatusFound)
-		return
-	}
-
-	redirectURL.Scheme = "https"
-
-	query := redirectURL.Query()
-	query.Set("session_token", sessionToken)
-	redirectURL.RawQuery = query.Encode()
-
-	log.WithField("redirect", redirectURL.Host).Debug("OAuth callback: redirecting user with session token")
-	http.Redirect(w, r, redirectURL.String(), http.StatusFound)
-}
-
-func extractUserIDFromToken(ctx context.Context, provider *oidc.Provider, config nbgrpc.ProxyOIDCConfig, token *oauth2.Token) string {
-	rawIDToken, ok := token.Extra("id_token").(string)
-	if !ok {
-		log.Warn("No id_token in OIDC response")
-		return ""
-	}
-
-	verifier := provider.Verifier(&oidc.Config{
-		ClientID: config.ClientID,
-	})
-
-	idToken, err := verifier.Verify(ctx, rawIDToken)
-	if err != nil {
-		log.WithError(err).Warn("Failed to verify ID token")
-		return ""
-	}
-
-	var claims struct {
-		Subject string `json:"sub"`
-	}
-	if err := idToken.Claims(&claims); err != nil {
-		log.WithError(err).Warn("Failed to extract claims from ID token")
-		return ""
-	}
-
-	return claims.Subject
-}
-
-// getClientIP extracts the client IP address from the request.
-func getClientIP(r *http.Request) string {
-	if xff := r.Header.Get("X-Forwarded-For"); xff != "" {
-		if idx := strings.Index(xff, ","); idx != -1 {
-			return strings.TrimSpace(xff[:idx])
-		}
-		return xff
-	}
-
-	if xri := r.Header.Get("X-Real-IP"); xri != "" {
-		return xri
-	}
-
-	// Fall back to RemoteAddr
-	host, _, err := net.SplitHostPort(r.RemoteAddr)
-	if err != nil {
-		return r.RemoteAddr
-	}
-	return host
-}
--- a/management/server/http/handlers/proxy/auth_callback_integration_test.go
+++ b/management/server/http/handlers/proxy/auth_callback_integration_test.go
@@ -1,523 +0,0 @@
-//go:build integration
-
-package proxy
-
-import (
-	"context"
-	"crypto/ed25519"
-	"crypto/rand"
-	"encoding/base64"
-	"encoding/json"
-	"net/http"
-	"net/http/httptest"
-	"net/url"
-	"testing"
-	"time"
-
-	"github.com/golang-jwt/jwt/v5"
-	"github.com/gorilla/mux"
-	"github.com/stretchr/testify/require"
-
-	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
-	accesslogs "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs"
-	nbgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc"
-	"github.com/netbirdio/netbird/management/server/store"
-	"github.com/netbirdio/netbird/management/server/types"
-	"github.com/netbirdio/netbird/management/server/users"
-	"github.com/netbirdio/netbird/shared/management/proto"
-)
-
-// fakeOIDCServer creates a minimal OIDC provider for testing.
-type fakeOIDCServer struct {
-	server       *httptest.Server
-	issuer       string
-	signingKey   ed25519.PrivateKey
-	publicKey    ed25519.PublicKey
-	keyID        string
-	tokenSubject string
-	tokenExpiry  time.Duration
-	failExchange bool
-}
-
-func newFakeOIDCServer() *fakeOIDCServer {
-	pub, priv, _ := ed25519.GenerateKey(rand.Reader)
-	f := &fakeOIDCServer{
-		signingKey:  priv,
-		publicKey:   pub,
-		keyID:       "test-key-1",
-		tokenExpiry: time.Hour,
-	}
-	f.server = httptest.NewServer(f)
-	f.issuer = f.server.URL
-	return f
-}
-
-func (f *fakeOIDCServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	switch r.URL.Path {
-	case "/.well-known/openid-configuration":
-		f.handleDiscovery(w, r)
-	case "/token":
-		f.handleToken(w, r)
-	case "/keys":
-		f.handleJWKS(w, r)
-	default:
-		http.NotFound(w, r)
-	}
-}
-
-func (f *fakeOIDCServer) handleDiscovery(w http.ResponseWriter, _ *http.Request) {
-	discovery := map[string]interface{}{
-		"issuer":                 f.issuer,
-		"authorization_endpoint": f.issuer + "/auth",
-		"token_endpoint":         f.issuer + "/token",
-		"jwks_uri":               f.issuer + "/keys",
-		"response_types_supported": []string{
-			"code",
-			"id_token",
-			"token id_token",
-		},
-		"subject_types_supported":               []string{"public"},
-		"id_token_signing_alg_values_supported": []string{"EdDSA"},
-	}
-	w.Header().Set("Content-Type", "application/json")
-	json.NewEncoder(w).Encode(discovery)
-}
-
-func (f *fakeOIDCServer) handleToken(w http.ResponseWriter, r *http.Request) {
-	if f.failExchange {
-		http.Error(w, "invalid_grant", http.StatusBadRequest)
-		return
-	}
-
-	if err := r.ParseForm(); err != nil {
-		http.Error(w, "bad request", http.StatusBadRequest)
-		return
-	}
-
-	idToken := f.createIDToken()
-
-	response := map[string]interface{}{
-		"access_token":  "test-access-token",
-		"token_type":    "Bearer",
-		"expires_in":    3600,
-		"id_token":      idToken,
-		"refresh_token": "test-refresh-token",
-	}
-	w.Header().Set("Content-Type", "application/json")
-	json.NewEncoder(w).Encode(response)
-}
-
-func (f *fakeOIDCServer) createIDToken() string {
-	now := time.Now()
-	claims := jwt.MapClaims{
-		"iss": f.issuer,
-		"sub": f.tokenSubject,
-		"aud": "test-client-id",
-		"exp": now.Add(f.tokenExpiry).Unix(),
-		"iat": now.Unix(),
-		"nbf": now.Unix(),
-	}
-
-	token := jwt.NewWithClaims(jwt.SigningMethodEdDSA, claims)
-	token.Header["kid"] = f.keyID
-	signed, _ := token.SignedString(f.signingKey)
-	return signed
-}
-
-func (f *fakeOIDCServer) handleJWKS(w http.ResponseWriter, _ *http.Request) {
-	jwks := map[string]interface{}{
-		"keys": []map[string]interface{}{
-			{
-				"kty": "OKP",
-				"crv": "Ed25519",
-				"kid": f.keyID,
-				"x":   base64.RawURLEncoding.EncodeToString(f.publicKey),
-				"use": "sig",
-			},
-		},
-	}
-	w.Header().Set("Content-Type", "application/json")
-	json.NewEncoder(w).Encode(jwks)
-}
-
-func (f *fakeOIDCServer) Close() {
-	f.server.Close()
-}
-
-// testSetup contains all test dependencies.
-type testSetup struct {
-	store        store.Store
-	oidcServer   *fakeOIDCServer
-	proxyService *nbgrpc.ProxyServiceServer
-	handler      *AuthCallbackHandler
-	router       *mux.Router
-	cleanup      func()
-}
-
-// testAccessLogManager is a minimal mock for accesslogs.Manager.
-type testAccessLogManager struct{}
-
-func (m *testAccessLogManager) SaveAccessLog(_ context.Context, _ *accesslogs.AccessLogEntry) error {
-	return nil
-}
-
-func (m *testAccessLogManager) GetAllAccessLogs(_ context.Context, _, _ string) ([]*accesslogs.AccessLogEntry, error) {
-	return nil, nil
-}
-
-func setupAuthCallbackTest(t *testing.T) *testSetup {
-	t.Helper()
-
-	ctx := context.Background()
-
-	testStore, cleanup, err := store.NewTestStoreFromSQL(ctx, "", t.TempDir())
-	require.NoError(t, err)
-
-	createTestAccountsAndUsers(t, ctx, testStore)
-	createTestReverseProxies(t, ctx, testStore)
-
-	oidcServer := newFakeOIDCServer()
-
-	tokenStore := nbgrpc.NewOneTimeTokenStore(time.Minute)
-
-	usersManager := users.NewManager(testStore)
-
-	oidcConfig := nbgrpc.ProxyOIDCConfig{
-		Issuer:      oidcServer.issuer,
-		ClientID:    "test-client-id",
-		Scopes:      []string{"openid", "profile", "email"},
-		CallbackURL: "https://management.example.com/reverse-proxy/callback",
-		HMACKey:     []byte("test-hmac-key-for-state-signing"),
-	}
-
-	proxyService := nbgrpc.NewProxyServiceServer(
-		&testAccessLogManager{},
-		tokenStore,
-		oidcConfig,
-		nil,
-		usersManager,
-	)
-
-	proxyService.SetProxyManager(&testServiceManager{store: testStore})
-
-	handler := NewAuthCallbackHandler(proxyService)
-
-	router := mux.NewRouter()
-	handler.RegisterEndpoints(router)
-
-	return &testSetup{
-		store:        testStore,
-		oidcServer:   oidcServer,
-		proxyService: proxyService,
-		handler:      handler,
-		router:       router,
-		cleanup: func() {
-			cleanup()
-			oidcServer.Close()
-		},
-	}
-}
-
-func createTestReverseProxies(t *testing.T, ctx context.Context, testStore store.Store) {
-	t.Helper()
-
-	pub, priv, err := ed25519.GenerateKey(rand.Reader)
-	require.NoError(t, err)
-
-	pubKey := base64.StdEncoding.EncodeToString(pub)
-	privKey := base64.StdEncoding.EncodeToString(priv)
-
-	testProxy := &reverseproxy.Service{
-		ID:        "testProxyId",
-		AccountID: "testAccountId",
-		Name:      "Test Proxy",
-		Domain:    "test-proxy.example.com",
-		Targets: []*reverseproxy.Target{{
-			Path:       strPtr("/"),
-			Host:       "localhost",
-			Port:       8080,
-			Protocol:   "http",
-			TargetId:   "peer1",
-			TargetType: "peer",
-			Enabled:    true,
-		}},
-		Enabled: true,
-		Auth: reverseproxy.AuthConfig{
-			BearerAuth: &reverseproxy.BearerAuthConfig{
-				Enabled:            true,
-				DistributionGroups: []string{"allowedGroupId"},
-			},
-		},
-		SessionPrivateKey: privKey,
-		SessionPublicKey:  pubKey,
-	}
-	require.NoError(t, testStore.CreateService(ctx, testProxy))
-
-	restrictedProxy := &reverseproxy.Service{
-		ID:        "restrictedProxyId",
-		AccountID: "testAccountId",
-		Name:      "Restricted Proxy",
-		Domain:    "restricted-proxy.example.com",
-		Targets: []*reverseproxy.Target{{
-			Path:       strPtr("/"),
-			Host:       "localhost",
-			Port:       8080,
-			Protocol:   "http",
-			TargetId:   "peer1",
-			TargetType: "peer",
-			Enabled:    true,
-		}},
-		Enabled: true,
-		Auth: reverseproxy.AuthConfig{
-			BearerAuth: &reverseproxy.BearerAuthConfig{
-				Enabled:            true,
-				DistributionGroups: []string{"restrictedGroupId"},
-			},
-		},
-		SessionPrivateKey: privKey,
-		SessionPublicKey:  pubKey,
-	}
-	require.NoError(t, testStore.CreateService(ctx, restrictedProxy))
-
-	noAuthProxy := &reverseproxy.Service{
-		ID:        "noAuthProxyId",
-		AccountID: "testAccountId",
-		Name:      "No Auth Proxy",
-		Domain:    "no-auth-proxy.example.com",
-		Targets: []*reverseproxy.Target{{
-			Path:       strPtr("/"),
-			Host:       "localhost",
-			Port:       8080,
-			Protocol:   "http",
-			TargetId:   "peer1",
-			TargetType: "peer",
-			Enabled:    true,
-		}},
-		Enabled: true,
-		Auth: reverseproxy.AuthConfig{
-			BearerAuth: &reverseproxy.BearerAuthConfig{
-				Enabled: false,
-			},
-		},
-		SessionPrivateKey: privKey,
-		SessionPublicKey:  pubKey,
-	}
-	require.NoError(t, testStore.CreateService(ctx, noAuthProxy))
-}
-
-func strPtr(s string) *string {
-	return &s
-}
-
-func createTestAccountsAndUsers(t *testing.T, ctx context.Context, testStore store.Store) {
-	t.Helper()
-
-	testAccount := &types.Account{
-		Id:                     "testAccountId",
-		Domain:                 "test.com",
-		DomainCategory:         "private",
-		IsDomainPrimaryAccount: true,
-		CreatedAt:              time.Now(),
-	}
-	require.NoError(t, testStore.SaveAccount(ctx, testAccount))
-
-	allowedGroup := &types.Group{
-		ID:        "allowedGroupId",
-		AccountID: "testAccountId",
-		Name:      "Allowed Group",
-		Issued:    "api",
-	}
-	require.NoError(t, testStore.CreateGroup(ctx, allowedGroup))
-
-	allowedUser := &types.User{
-		Id:         "allowedUserId",
-		AccountID:  "testAccountId",
-		Role:       types.UserRoleUser,
-		AutoGroups: []string{"allowedGroupId"},
-		CreatedAt:  time.Now(),
-		Issued:     "api",
-	}
-	require.NoError(t, testStore.SaveUser(ctx, allowedUser))
-}
-
-// testServiceManager is a minimal implementation for testing.
-type testServiceManager struct {
-	store store.Store
-}
-
-func (m *testServiceManager) GetAllServices(_ context.Context, _, _ string) ([]*reverseproxy.Service, error) {
-	return nil, nil
-}
-
-func (m *testServiceManager) GetService(_ context.Context, _, _, _ string) (*reverseproxy.Service, error) {
-	return nil, nil
-}
-
-func (m *testServiceManager) CreateService(_ context.Context, _, _ string, _ *reverseproxy.Service) (*reverseproxy.Service, error) {
-	return nil, nil
-}
-
-func (m *testServiceManager) UpdateService(_ context.Context, _, _ string, _ *reverseproxy.Service) (*reverseproxy.Service, error) {
-	return nil, nil
-}
-
-func (m *testServiceManager) DeleteService(_ context.Context, _, _, _ string) error {
-	return nil
-}
-
-func (m *testServiceManager) SetCertificateIssuedAt(_ context.Context, _, _ string) error {
-	return nil
-}
-
-func (m *testServiceManager) SetStatus(_ context.Context, _, _ string, _ reverseproxy.ProxyStatus) error {
-	return nil
-}
-
-func (m *testServiceManager) ReloadAllServicesForAccount(_ context.Context, _ string) error {
-	return nil
-}
-
-func (m *testServiceManager) ReloadService(_ context.Context, _, _ string) error {
-	return nil
-}
-
-func (m *testServiceManager) GetGlobalServices(ctx context.Context) ([]*reverseproxy.Service, error) {
-	return m.store.GetReverseProxies(ctx, store.LockingStrengthNone)
-}
-
-func (m *testServiceManager) GetServiceByID(ctx context.Context, accountID, proxyID string) (*reverseproxy.Service, error) {
-	return m.store.GetServiceByID(ctx, store.LockingStrengthNone, accountID, proxyID)
-}
-
-func (m *testServiceManager) GetAccountServices(ctx context.Context, accountID string) ([]*reverseproxy.Service, error) {
-	return m.store.GetAccountServices(ctx, store.LockingStrengthNone, accountID)
-}
-
-func (m *testServiceManager) GetServiceIDByTargetID(_ context.Context, _, _ string) (string, error) {
-	return "", nil
-}
-
-func createTestState(t *testing.T, ps *nbgrpc.ProxyServiceServer, redirectURL string) string {
-	t.Helper()
-
-	resp, err := ps.GetOIDCURL(context.Background(), &proto.GetOIDCURLRequest{
-		RedirectUrl: redirectURL,
-		AccountId:   "testAccountId",
-	})
-	require.NoError(t, err)
-
-	parsedURL, err := url.Parse(resp.Url)
-	require.NoError(t, err)
-
-	return parsedURL.Query().Get("state")
-}
-
-func TestAuthCallback_UserAllowedToLogin(t *testing.T) {
-	setup := setupAuthCallbackTest(t)
-	defer setup.cleanup()
-
-	setup.oidcServer.tokenSubject = "allowedUserId"
-
-	state := createTestState(t, setup.proxyService, "https://test-proxy.example.com/dashboard")
-
-	req := httptest.NewRequest(http.MethodGet, "/reverse-proxy/callback?code=test-auth-code&state="+url.QueryEscape(state), nil)
-	rec := httptest.NewRecorder()
-
-	setup.router.ServeHTTP(rec, req)
-
-	require.Equal(t, http.StatusFound, rec.Code)
-
-	location := rec.Header().Get("Location")
-	require.NotEmpty(t, location)
-
-	parsedLocation, err := url.Parse(location)
-	require.NoError(t, err)
-
-	require.Equal(t, "test-proxy.example.com", parsedLocation.Host)
-	require.NotEmpty(t, parsedLocation.Query().Get("session_token"), "Should include session token")
-	require.Empty(t, parsedLocation.Query().Get("error"), "Should not have error parameter")
-}
-
-func TestAuthCallback_ProxyNotFound(t *testing.T) {
-	setup := setupAuthCallbackTest(t)
-	defer setup.cleanup()
-
-	setup.oidcServer.tokenSubject = "allowedUserId"
-
-	state := createTestState(t, setup.proxyService, "https://test-proxy.example.com/")
-
-	require.NoError(t, setup.store.DeleteService(context.Background(), "testAccountId", "testProxyId"))
-
-	req := httptest.NewRequest(http.MethodGet, "/reverse-proxy/callback?code=test-auth-code&state="+url.QueryEscape(state), nil)
-	rec := httptest.NewRecorder()
-
-	setup.router.ServeHTTP(rec, req)
-
-	require.Equal(t, http.StatusFound, rec.Code)
-
-	location := rec.Header().Get("Location")
-	parsedLocation, err := url.Parse(location)
-	require.NoError(t, err)
-
-	require.Equal(t, "access_denied", parsedLocation.Query().Get("error"))
-}
-
-func TestAuthCallback_InvalidToken(t *testing.T) {
-	setup := setupAuthCallbackTest(t)
-	defer setup.cleanup()
-
-	setup.oidcServer.failExchange = true
-
-	state := createTestState(t, setup.proxyService, "https://test-proxy.example.com/")
-
-	req := httptest.NewRequest(http.MethodGet, "/reverse-proxy/callback?code=invalid-code&state="+url.QueryEscape(state), nil)
-	rec := httptest.NewRecorder()
-
-	setup.router.ServeHTTP(rec, req)
-
-	require.Equal(t, http.StatusInternalServerError, rec.Code)
-	require.Contains(t, rec.Body.String(), "Failed to exchange code")
-}
-
-func TestAuthCallback_ExpiredToken(t *testing.T) {
-	setup := setupAuthCallbackTest(t)
-	defer setup.cleanup()
-
-	setup.oidcServer.tokenSubject = "allowedUserId"
-	setup.oidcServer.tokenExpiry = -time.Hour
-
-	state := createTestState(t, setup.proxyService, "https://test-proxy.example.com/")
-
-	req := httptest.NewRequest(http.MethodGet, "/reverse-proxy/callback?code=test-auth-code&state="+url.QueryEscape(state), nil)
-	rec := httptest.NewRecorder()
-
-	setup.router.ServeHTTP(rec, req)
-
-	require.Equal(t, http.StatusUnauthorized, rec.Code)
-	require.Contains(t, rec.Body.String(), "Failed to validate token")
-}
-
-func TestAuthCallback_InvalidState(t *testing.T) {
-	setup := setupAuthCallbackTest(t)
-	defer setup.cleanup()
-
-	req := httptest.NewRequest(http.MethodGet, "/reverse-proxy/callback?code=test-auth-code&state=invalid-state", nil)
-	rec := httptest.NewRecorder()
-
-	setup.router.ServeHTTP(rec, req)
-
-	require.Equal(t, http.StatusBadRequest, rec.Code)
-	require.Contains(t, rec.Body.String(), "Invalid state")
-}
-
-func TestAuthCallback_MissingState(t *testing.T) {
-	setup := setupAuthCallbackTest(t)
-	defer setup.cleanup()
-
-	req := httptest.NewRequest(http.MethodGet, "/reverse-proxy/callback?code=test-auth-code", nil)
-	rec := httptest.NewRecorder()
-
-	setup.router.ServeHTTP(rec, req)
-
-	require.Equal(t, http.StatusBadRequest, rec.Code)
-}
--- a/management/server/http/handlers/proxy/auth_test.go
+++ b/management/server/http/handlers/proxy/auth_test.go
@@ -1,156 +0,0 @@
-package proxy
-
-import (
-	"net/http"
-	"net/http/httptest"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	nbgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc"
-)
-
-func TestAuthCallbackHandler_RateLimiting(t *testing.T) {
-	handler := NewAuthCallbackHandler(&nbgrpc.ProxyServiceServer{})
-	require.NotNil(t, handler.rateLimiter, "Rate limiter should be initialized")
-
-	req := httptest.NewRequest(http.MethodGet, "/callback?state=test&code=test", nil)
-	req.RemoteAddr = "192.168.1.100:12345"
-
-	t.Run("allows requests under limit", func(t *testing.T) {
-		for i := 0; i < 15; i++ {
-			allowed := handler.rateLimiter.Allow("192.168.1.100")
-			assert.True(t, allowed, "Request %d should be allowed", i+1)
-		}
-	})
-
-	t.Run("blocks requests over limit", func(t *testing.T) {
-		handler.rateLimiter.Reset("192.168.1.200")
-
-		for i := 0; i < 15; i++ {
-			handler.rateLimiter.Allow("192.168.1.200")
-		}
-
-		allowed := handler.rateLimiter.Allow("192.168.1.200")
-		assert.False(t, allowed, "Request over limit should be blocked")
-	})
-
-	t.Run("different IPs have separate limits", func(t *testing.T) {
-		ip1 := "192.168.1.201"
-		ip2 := "192.168.1.202"
-
-		handler.rateLimiter.Reset(ip1)
-		handler.rateLimiter.Reset(ip2)
-
-		for i := 0; i < 15; i++ {
-			handler.rateLimiter.Allow(ip1)
-		}
-
-		assert.False(t, handler.rateLimiter.Allow(ip1), "IP1 should be blocked")
-
-		assert.True(t, handler.rateLimiter.Allow(ip2), "IP2 should be allowed")
-	})
-}
-
-func TestAuthCallbackHandler_RateLimitInHandleCallback(t *testing.T) {
-	handler := NewAuthCallbackHandler(&nbgrpc.ProxyServiceServer{})
-	testIP := "10.0.0.50"
-
-	handler.rateLimiter.Reset(testIP)
-
-	t.Run("returns 429 when rate limited", func(t *testing.T) {
-		for i := 0; i < 15; i++ {
-			handler.rateLimiter.Allow(testIP)
-		}
-
-		req := httptest.NewRequest(http.MethodGet, "/callback?state=test&code=test", nil)
-		req.RemoteAddr = testIP + ":12345"
-
-		rr := httptest.NewRecorder()
-		handler.handleCallback(rr, req)
-
-		assert.Equal(t, http.StatusTooManyRequests, rr.Code, "Should return 429 status code")
-		assert.Contains(t, rr.Body.String(), "Too many requests", "Should contain rate limit message")
-	})
-}
-
-func TestGetClientIP(t *testing.T) {
-	tests := []struct {
-		name          string
-		remoteAddr    string
-		xForwardedFor string
-		xRealIP       string
-		expectedIP    string
-	}{
-		{
-			name:       "extract from RemoteAddr",
-			remoteAddr: "192.168.1.100:12345",
-			expectedIP: "192.168.1.100",
-		},
-		{
-			name:          "extract from X-Forwarded-For single IP",
-			remoteAddr:    "10.0.0.1:54321",
-			xForwardedFor: "203.0.113.195",
-			expectedIP:    "203.0.113.195",
-		},
-		{
-			name:          "extract from X-Forwarded-For multiple IPs",
-			remoteAddr:    "10.0.0.1:54321",
-			xForwardedFor: "203.0.113.195, 70.41.3.18, 150.172.238.178",
-			expectedIP:    "203.0.113.195",
-		},
-		{
-			name:       "extract from X-Real-IP",
-			remoteAddr: "10.0.0.1:54321",
-			xRealIP:    "198.51.100.42",
-			expectedIP: "198.51.100.42",
-		},
-		{
-			name:          "X-Forwarded-For takes precedence over X-Real-IP",
-			remoteAddr:    "10.0.0.1:54321",
-			xForwardedFor: "203.0.113.195",
-			xRealIP:       "198.51.100.42",
-			expectedIP:    "203.0.113.195",
-		},
-		{
-			name:       "handle RemoteAddr without port",
-			remoteAddr: "192.168.1.100",
-			expectedIP: "192.168.1.100",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			req := httptest.NewRequest(http.MethodGet, "/test", nil)
-			req.RemoteAddr = tt.remoteAddr
-
-			if tt.xForwardedFor != "" {
-				req.Header.Set("X-Forwarded-For", tt.xForwardedFor)
-			}
-			if tt.xRealIP != "" {
-				req.Header.Set("X-Real-IP", tt.xRealIP)
-			}
-
-			ip := getClientIP(req)
-			assert.Equal(t, tt.expectedIP, ip, "Extracted IP should match expected")
-		})
-	}
-}
-
-func TestAuthCallbackHandler_RateLimiterConfiguration(t *testing.T) {
-	handler := NewAuthCallbackHandler(&nbgrpc.ProxyServiceServer{})
-
-	require.NotNil(t, handler.rateLimiter, "Rate limiter should be initialized")
-
-	testIP := "192.168.1.250"
-	handler.rateLimiter.Reset(testIP)
-
-	for i := 0; i < 15; i++ {
-		allowed := handler.rateLimiter.Allow(testIP)
-		assert.True(t, allowed, "Should allow request %d within burst limit", i+1)
-	}
-
-	allowed := handler.rateLimiter.Allow(testIP)
-	assert.False(t, allowed, "Should block request that exceeds burst limit")
-}
--- a/management/server/http/handlers/users/invites_handler_test.go
+++ b/management/server/http/handlers/users/invites_handler_test.go
@@ -205,14 +205,6 @@ func TestCreateInvite(t *testing.T) {
 				return nil, status.Errorf(status.PreconditionFailed, "invite links are only available with embedded identity provider")
 			},
 		},
-		{
-			name:           "local auth disabled",
-			requestBody:    `{"email":"test@example.com","name":"Test User","role":"user","auto_groups":[]}`,
-			expectedStatus: http.StatusPreconditionFailed,
-			mockFunc: func(ctx context.Context, accountID, initiatorUserID string, invite *types.UserInfo, expiresIn int) (*types.UserInvite, error) {
-				return nil, status.Errorf(status.PreconditionFailed, "local user creation is disabled - use an external identity provider")
-			},
-		},
 		{
 			name:           "invalid JSON",
 			requestBody:    `{invalid json}`,
@@ -384,15 +376,6 @@ func TestAcceptInvite(t *testing.T) {
 				return status.Errorf(status.PreconditionFailed, "invite links are only available with embedded identity provider")
 			},
 		},
-		{
-			name:           "local auth disabled",
-			token:          testInviteToken,
-			requestBody:    `{"password":"SecurePass123!"}`,
-			expectedStatus: http.StatusPreconditionFailed,
-			mockFunc: func(ctx context.Context, token, password string) error {
-				return status.Errorf(status.PreconditionFailed, "local user creation is disabled - use an external identity provider")
-			},
-		},
 		{
 			name:           "missing token",
 			token:          "",
--- a/management/server/http/testing/testing_tools/channel/channel.go
+++ b/management/server/http/testing/testing_tools/channel/channel.go
@@ -73,7 +73,7 @@ func BuildApiBlackBoxWithDBState(t testing_tools.TB, sqlFile string, expectedPee
 	proxyController := integrations.NewController(store)
 	userManager := users.NewManager(store)
 	permissionsManager := permissions.NewManager(store)
-	settingsManager := settings.NewManager(store, userManager, integrations.NewManager(&activity.InMemoryEventStore{}), permissionsManager, settings.IdpConfig{})
+	settingsManager := settings.NewManager(store, userManager, integrations.NewManager(&activity.InMemoryEventStore{}), permissionsManager)
 	peersManager := peers.NewManager(store, permissionsManager)

 	jobManager := job.NewJobManager(nil, store, peersManager)
@@ -102,7 +102,7 @@ func BuildApiBlackBoxWithDBState(t testing_tools.TB, sqlFile string, expectedPee
 	customZonesManager := zonesManager.NewManager(store, am, permissionsManager, "")
 	zoneRecordsManager := recordsManager.NewManager(store, am, permissionsManager)

-	apiHandler, err := http2.NewAPIHandler(context.Background(), am, networksManagerMock, resourcesManagerMock, routersManagerMock, groupsManagerMock, geoMock, authManagerMock, metrics, validatorMock, proxyController, permissionsManager, peersManager, settingsManager, customZonesManager, zoneRecordsManager, networkMapController, nil, nil, nil, nil, nil)
+	apiHandler, err := http2.NewAPIHandler(context.Background(), am, networksManagerMock, resourcesManagerMock, routersManagerMock, groupsManagerMock, geoMock, authManagerMock, metrics, validatorMock, proxyController, permissionsManager, peersManager, settingsManager, customZonesManager, zoneRecordsManager, networkMapController, nil)
 	if err != nil {
 		t.Fatalf("Failed to create API handler: %v", err)
 	}
--- a/management/server/idp/auth0.go
+++ b/management/server/idp/auth0.go
@@ -135,7 +135,7 @@ func NewAuth0Manager(config Auth0ClientConfig, appMetrics telemetry.AppMetrics)
 	httpTransport := http.DefaultTransport.(*http.Transport).Clone()
 	httpTransport.MaxIdleConns = 5

-	httpClient := &http.Client{
+		httpClient := &http.Client{
 		Timeout:   idpTimeout(),
 		Transport: httpTransport,
 	}
--- a/management/server/idp/authentik.go
+++ b/management/server/idp/authentik.go
@@ -56,7 +56,7 @@ func NewAuthentikManager(config AuthentikClientConfig, appMetrics telemetry.AppM
 		Timeout:   idpTimeout(),
 		Transport: httpTransport,
 	}
-
+	
 	helper := JsonParser{}

 	if config.ClientID == "" {
--- a/management/server/idp/azure.go
+++ b/management/server/idp/azure.go
@@ -57,11 +57,11 @@ func NewAzureManager(config AzureClientConfig, appMetrics telemetry.AppMetrics)
 	httpTransport := http.DefaultTransport.(*http.Transport).Clone()
 	httpTransport.MaxIdleConns = 5

-	httpClient := &http.Client{
+		httpClient := &http.Client{
 		Timeout:   idpTimeout(),
 		Transport: httpTransport,
 	}
-
+	
 	helper := JsonParser{}

 	if config.ClientID == "" {
--- a/management/server/idp/embedded.go
+++ b/management/server/idp/embedded.go
@@ -43,11 +43,6 @@ type EmbeddedIdPConfig struct {
 	Owner *OwnerConfig
 	// SignKeyRefreshEnabled enables automatic key rotation for signing keys
 	SignKeyRefreshEnabled bool
-	// LocalAuthDisabled disables the local (email/password) authentication connector.
-	// When true, users cannot authenticate via email/password, only via external identity providers.
-	// Existing local users are preserved and will be able to login again if re-enabled.
-	// Cannot be enabled if no external identity provider connectors are configured.
-	LocalAuthDisabled bool
 }

 // EmbeddedStorageConfig holds storage configuration for the embedded IdP.
@@ -91,12 +86,6 @@ func (c *EmbeddedIdPConfig) ToYAMLConfig() (*dex.YAMLConfig, error) {
 	cliRedirectURIs = append(cliRedirectURIs, "/device/callback")
 	cliRedirectURIs = append(cliRedirectURIs, c.Issuer+"/device/callback")

-	// Build dashboard redirect URIs including the OAuth callback for proxy authentication
-	dashboardRedirectURIs := c.DashboardRedirectURIs
-	baseURL := strings.TrimSuffix(c.Issuer, "/oauth2")
-	// todo: resolve import cycle
-	dashboardRedirectURIs = append(dashboardRedirectURIs, baseURL+"/api/reverse-proxy/callback")
-
 	cfg := &dex.YAMLConfig{
 		Issuer: c.Issuer,
 		Storage: dex.Storage{
@@ -116,15 +105,13 @@ func (c *EmbeddedIdPConfig) ToYAMLConfig() (*dex.YAMLConfig, error) {
 			Issuer: "NetBird",
 			Theme:  "light",
 		},
-		// Always enable password DB initially - we disable the local connector after startup if needed.
-		// This ensures Dex has at least one connector during initialization.
 		EnablePasswordDB: true,
 		StaticClients: []storage.Client{
 			{
 				ID:           staticClientDashboard,
 				Name:         "NetBird Dashboard",
 				Public:       true,
-				RedirectURIs: dashboardRedirectURIs,
+				RedirectURIs: c.DashboardRedirectURIs,
 			},
 			{
 				ID:           staticClientCLI,
@@ -205,32 +192,11 @@ func NewEmbeddedIdPManager(ctx context.Context, config *EmbeddedIdPConfig, appMe
 		return nil, err
 	}

-	log.WithContext(ctx).Debugf("initializing embedded Dex IDP with config: %+v", config)
-
 	provider, err := dex.NewProviderFromYAML(ctx, yamlConfig)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create embedded IdP provider: %w", err)
 	}

-	// If local auth is disabled, validate that other connectors exist
-	if config.LocalAuthDisabled {
-		hasOthers, err := provider.HasNonLocalConnectors(ctx)
-		if err != nil {
-			_ = provider.Stop(ctx)
-			return nil, fmt.Errorf("failed to check connectors: %w", err)
-		}
-		if !hasOthers {
-			_ = provider.Stop(ctx)
-			return nil, fmt.Errorf("cannot disable local authentication: no other identity providers configured")
-		}
-		// Ensure local connector is removed (it might exist from a previous run)
-		if err := provider.DisableLocalAuth(ctx); err != nil {
-			_ = provider.Stop(ctx)
-			return nil, fmt.Errorf("failed to disable local auth: %w", err)
-		}
-		log.WithContext(ctx).Info("local authentication disabled - only external identity providers can be used")
-	}
-
 	log.WithContext(ctx).Infof("embedded Dex IDP initialized with issuer: %s", yamlConfig.Issuer)

 	return &EmbeddedIdPManager{
@@ -315,8 +281,6 @@ func (m *EmbeddedIdPManager) GetAllAccounts(ctx context.Context) (map[string][]*
 		return nil, fmt.Errorf("failed to list users: %w", err)
 	}

-	log.WithContext(ctx).Debugf("retrieved %d users from embedded IdP", len(users))
-
 	indexedUsers := make(map[string][]*UserData)
 	for _, user := range users {
 		indexedUsers[UnsetAccountID] = append(indexedUsers[UnsetAccountID], &UserData{
@@ -326,17 +290,11 @@ func (m *EmbeddedIdPManager) GetAllAccounts(ctx context.Context) (map[string][]*
 		})
 	}

-	log.WithContext(ctx).Debugf("retrieved %d users from embedded IdP", len(indexedUsers[UnsetAccountID]))
-
 	return indexedUsers, nil
 }

 // CreateUser creates a new user in the embedded IdP.
 func (m *EmbeddedIdPManager) CreateUser(ctx context.Context, email, name, accountID, invitedByEmail string) (*UserData, error) {
-	if m.config.LocalAuthDisabled {
-		return nil, fmt.Errorf("local user creation is disabled")
-	}
-
 	if m.appMetrics != nil {
 		m.appMetrics.IDPMetrics().CountCreateUser()
 	}
@@ -406,10 +364,6 @@ func (m *EmbeddedIdPManager) GetUserByEmail(ctx context.Context, email string) (
 // Unlike CreateUser which auto-generates a password, this method uses the provided password.
 // This is useful for instance setup where the user provides their own password.
 func (m *EmbeddedIdPManager) CreateUserWithPassword(ctx context.Context, email, password, name string) (*UserData, error) {
-	if m.config.LocalAuthDisabled {
-		return nil, fmt.Errorf("local user creation is disabled")
-	}
-
 	if m.appMetrics != nil {
 		m.appMetrics.IDPMetrics().CountCreateUser()
 	}
@@ -599,13 +553,3 @@ func (m *EmbeddedIdPManager) GetClientIDs() []string {
 func (m *EmbeddedIdPManager) GetUserIDClaim() string {
 	return defaultUserIDClaim
 }
-
-// IsLocalAuthDisabled returns whether local authentication is disabled based on configuration.
-func (m *EmbeddedIdPManager) IsLocalAuthDisabled() bool {
-	return m.config.LocalAuthDisabled
-}
-
-// HasNonLocalConnectors checks if there are any identity provider connectors other than local.
-func (m *EmbeddedIdPManager) HasNonLocalConnectors(ctx context.Context) (bool, error) {
-	return m.provider.HasNonLocalConnectors(ctx)
-}
--- a/management/server/idp/embedded_test.go
+++ b/management/server/idp/embedded_test.go
@@ -370,234 +370,3 @@ func TestEmbeddedIdPManager_GetLocalKeysLocation(t *testing.T) {
 		})
 	}
 }
-
-func TestEmbeddedIdPManager_LocalAuthDisabled(t *testing.T) {
-	ctx := context.Background()
-
-	t.Run("cannot start with local auth disabled without other connectors", func(t *testing.T) {
-		tmpDir, err := os.MkdirTemp("", "embedded-idp-test-*")
-		require.NoError(t, err)
-		defer os.RemoveAll(tmpDir)
-
-		config := &EmbeddedIdPConfig{
-			Enabled:           true,
-			Issuer:            "http://localhost:5556/dex",
-			LocalAuthDisabled: true,
-			Storage: EmbeddedStorageConfig{
-				Type: "sqlite3",
-				Config: EmbeddedStorageTypeConfig{
-					File: filepath.Join(tmpDir, "dex.db"),
-				},
-			},
-		}
-
-		_, err = NewEmbeddedIdPManager(ctx, config, nil)
-		require.Error(t, err)
-		assert.Contains(t, err.Error(), "no other identity providers configured")
-	})
-
-	t.Run("local auth enabled by default", func(t *testing.T) {
-		tmpDir, err := os.MkdirTemp("", "embedded-idp-test-*")
-		require.NoError(t, err)
-		defer os.RemoveAll(tmpDir)
-
-		config := &EmbeddedIdPConfig{
-			Enabled: true,
-			Issuer:  "http://localhost:5556/dex",
-			Storage: EmbeddedStorageConfig{
-				Type: "sqlite3",
-				Config: EmbeddedStorageTypeConfig{
-					File: filepath.Join(tmpDir, "dex.db"),
-				},
-			},
-		}
-
-		manager, err := NewEmbeddedIdPManager(ctx, config, nil)
-		require.NoError(t, err)
-		defer func() { _ = manager.Stop(ctx) }()
-
-		// Verify local auth is enabled by default
-		assert.False(t, manager.IsLocalAuthDisabled())
-	})
-
-	t.Run("start with local auth disabled when connector exists", func(t *testing.T) {
-		tmpDir, err := os.MkdirTemp("", "embedded-idp-test-*")
-		require.NoError(t, err)
-		defer os.RemoveAll(tmpDir)
-
-		dbFile := filepath.Join(tmpDir, "dex.db")
-
-		// First, create a manager with local auth enabled and add a connector
-		config1 := &EmbeddedIdPConfig{
-			Enabled: true,
-			Issuer:  "http://localhost:5556/dex",
-			Storage: EmbeddedStorageConfig{
-				Type: "sqlite3",
-				Config: EmbeddedStorageTypeConfig{
-					File: dbFile,
-				},
-			},
-		}
-
-		manager1, err := NewEmbeddedIdPManager(ctx, config1, nil)
-		require.NoError(t, err)
-
-		// Create a user
-		userData, err := manager1.CreateUser(ctx, "preserved@example.com", "Preserved User", "account1", "admin@example.com")
-		require.NoError(t, err)
-		userID := userData.ID
-
-		// Add an external connector (Google doesn't require OIDC discovery)
-		_, err = manager1.CreateConnector(ctx, &dex.ConnectorConfig{
-			ID:           "google-test",
-			Name:         "Google Test",
-			Type:         "google",
-			ClientID:     "test-client-id",
-			ClientSecret: "test-client-secret",
-		})
-		require.NoError(t, err)
-
-		// Stop the first manager
-		err = manager1.Stop(ctx)
-		require.NoError(t, err)
-
-		// Now create a new manager with local auth disabled
-		config2 := &EmbeddedIdPConfig{
-			Enabled:           true,
-			Issuer:            "http://localhost:5556/dex",
-			LocalAuthDisabled: true,
-			Storage: EmbeddedStorageConfig{
-				Type: "sqlite3",
-				Config: EmbeddedStorageTypeConfig{
-					File: dbFile,
-				},
-			},
-		}
-
-		manager2, err := NewEmbeddedIdPManager(ctx, config2, nil)
-		require.NoError(t, err)
-		defer func() { _ = manager2.Stop(ctx) }()
-
-		// Verify local auth is disabled via config
-		assert.True(t, manager2.IsLocalAuthDisabled())
-
-		// Verify the user still exists in storage (just can't login via local)
-		lookedUp, err := manager2.GetUserDataByID(ctx, userID, AppMetadata{})
-		require.NoError(t, err)
-		assert.Equal(t, "preserved@example.com", lookedUp.Email)
-	})
-
-	t.Run("CreateUser fails when local auth is disabled", func(t *testing.T) {
-		tmpDir, err := os.MkdirTemp("", "embedded-idp-test-*")
-		require.NoError(t, err)
-		defer os.RemoveAll(tmpDir)
-
-		dbFile := filepath.Join(tmpDir, "dex.db")
-
-		// First, create a manager and add an external connector
-		config1 := &EmbeddedIdPConfig{
-			Enabled: true,
-			Issuer:  "http://localhost:5556/dex",
-			Storage: EmbeddedStorageConfig{
-				Type: "sqlite3",
-				Config: EmbeddedStorageTypeConfig{
-					File: dbFile,
-				},
-			},
-		}
-
-		manager1, err := NewEmbeddedIdPManager(ctx, config1, nil)
-		require.NoError(t, err)
-
-		_, err = manager1.CreateConnector(ctx, &dex.ConnectorConfig{
-			ID:           "google-test",
-			Name:         "Google Test",
-			Type:         "google",
-			ClientID:     "test-client-id",
-			ClientSecret: "test-client-secret",
-		})
-		require.NoError(t, err)
-
-		err = manager1.Stop(ctx)
-		require.NoError(t, err)
-
-		// Create manager with local auth disabled
-		config2 := &EmbeddedIdPConfig{
-			Enabled:           true,
-			Issuer:            "http://localhost:5556/dex",
-			LocalAuthDisabled: true,
-			Storage: EmbeddedStorageConfig{
-				Type: "sqlite3",
-				Config: EmbeddedStorageTypeConfig{
-					File: dbFile,
-				},
-			},
-		}
-
-		manager2, err := NewEmbeddedIdPManager(ctx, config2, nil)
-		require.NoError(t, err)
-		defer func() { _ = manager2.Stop(ctx) }()
-
-		// Try to create a user - should fail
-		_, err = manager2.CreateUser(ctx, "newuser@example.com", "New User", "account1", "admin@example.com")
-		require.Error(t, err)
-		assert.Contains(t, err.Error(), "local user creation is disabled")
-	})
-
-	t.Run("CreateUserWithPassword fails when local auth is disabled", func(t *testing.T) {
-		tmpDir, err := os.MkdirTemp("", "embedded-idp-test-*")
-		require.NoError(t, err)
-		defer os.RemoveAll(tmpDir)
-
-		dbFile := filepath.Join(tmpDir, "dex.db")
-
-		// First, create a manager and add an external connector
-		config1 := &EmbeddedIdPConfig{
-			Enabled: true,
-			Issuer:  "http://localhost:5556/dex",
-			Storage: EmbeddedStorageConfig{
-				Type: "sqlite3",
-				Config: EmbeddedStorageTypeConfig{
-					File: dbFile,
-				},
-			},
-		}
-
-		manager1, err := NewEmbeddedIdPManager(ctx, config1, nil)
-		require.NoError(t, err)
-
-		_, err = manager1.CreateConnector(ctx, &dex.ConnectorConfig{
-			ID:           "google-test",
-			Name:         "Google Test",
-			Type:         "google",
-			ClientID:     "test-client-id",
-			ClientSecret: "test-client-secret",
-		})
-		require.NoError(t, err)
-
-		err = manager1.Stop(ctx)
-		require.NoError(t, err)
-
-		// Create manager with local auth disabled
-		config2 := &EmbeddedIdPConfig{
-			Enabled:           true,
-			Issuer:            "http://localhost:5556/dex",
-			LocalAuthDisabled: true,
-			Storage: EmbeddedStorageConfig{
-				Type: "sqlite3",
-				Config: EmbeddedStorageTypeConfig{
-					File: dbFile,
-				},
-			},
-		}
-
-		manager2, err := NewEmbeddedIdPManager(ctx, config2, nil)
-		require.NoError(t, err)
-		defer func() { _ = manager2.Stop(ctx) }()
-
-		// Try to create a user with password - should fail
-		_, err = manager2.CreateUserWithPassword(ctx, "newuser@example.com", "SecurePass123!", "New User")
-		require.Error(t, err)
-		assert.Contains(t, err.Error(), "local user creation is disabled")
-	})
-}
--- a/management/server/idp/google_workspace.go
+++ b/management/server/idp/google_workspace.go
@@ -51,7 +51,7 @@ func NewGoogleWorkspaceManager(ctx context.Context, config GoogleWorkspaceClient
 		Timeout:   idpTimeout(),
 		Transport: httpTransport,
 	}
-
+	
 	helper := JsonParser{}

 	if config.CustomerID == "" {
--- a/management/server/idp/keycloak.go
+++ b/management/server/idp/keycloak.go
@@ -66,7 +66,7 @@ func NewKeycloakManager(config KeycloakClientConfig, appMetrics telemetry.AppMet
 		Timeout:   idpTimeout(),
 		Transport: httpTransport,
 	}
-
+	
 	helper := JsonParser{}

 	if config.ClientID == "" {
--- a/management/server/idp/pocketid.go
+++ b/management/server/idp/pocketid.go
@@ -90,7 +90,7 @@ func NewPocketIdManager(config PocketIdClientConfig, appMetrics telemetry.AppMet
 		Timeout:   idpTimeout(),
 		Transport: httpTransport,
 	}
-
+	
 	helper := JsonParser{}

 	if config.ManagementEndpoint == "" {
--- a/management/server/idp/util.go
+++ b/management/server/idp/util.go
@@ -76,7 +76,7 @@ const (
 	// Provides the env variable name for use with idpTimeout function
 	idpTimeoutEnv = "NB_IDP_TIMEOUT"
 	// Sets the defaultTimeout to 10s.
-	defaultTimeout = 10 * time.Second
+	defaultTimeout  = 10 * time.Second
 )

 // idpTimeout returns a timeout value for the IDP
--- a/management/server/idp/zitadel.go
+++ b/management/server/idp/zitadel.go
@@ -167,7 +167,7 @@ func NewZitadelManager(config ZitadelClientConfig, appMetrics telemetry.AppMetri
 		Timeout:   idpTimeout(),
 		Transport: httpTransport,
 	}
-
+	
 	helper := JsonParser{}

 	hasPAT := config.PAT != ""
--- a/management/server/instance/manager.go
+++ b/management/server/instance/manager.go
@@ -104,22 +104,13 @@ func NewManager(ctx context.Context, store store.Store, idpManager idp.Manager)
 }

 func (m *DefaultManager) loadSetupRequired(ctx context.Context) error {
-	// Check if there are any accounts in the NetBird store
-	numAccounts, err := m.store.GetAccountsCounter(ctx)
-	if err != nil {
-		return err
-	}
-	hasAccounts := numAccounts > 0
-
-	// Check if there are any users in the embedded IdP (Dex)
 	users, err := m.embeddedIdpManager.GetAllAccounts(ctx)
 	if err != nil {
 		return err
 	}
-	hasLocalUsers := len(users) > 0

 	m.setupMu.Lock()
-	m.setupRequired = !(hasAccounts || hasLocalUsers)
+	m.setupRequired = len(users) == 0
 	m.setupMu.Unlock()

 	return nil
--- a/management/server/management_test.go
+++ b/management/server/management_test.go
@@ -610,7 +610,6 @@ func TestSync10PeersGetUpdates(t *testing.T) {

 	initialPeers := 10
 	additionalPeers := 10
-	expectedPeerCount := initialPeers + additionalPeers - 1 // -1 because peer doesn't see itself

 	var peers []wgtypes.Key
 	for i := 0; i < initialPeers; i++ {
@@ -619,19 +618,8 @@ func TestSync10PeersGetUpdates(t *testing.T) {
 		peers = append(peers, key)
 	}

-	// Track the maximum peer count each peer has seen
-	type peerState struct {
-		mu           sync.Mutex
-		maxPeerCount int
-		done         bool
-	}
-	peerStates := make(map[string]*peerState)
-	for _, pk := range peers {
-		peerStates[pk.PublicKey().String()] = &peerState{}
-	}
-
 	var wg sync.WaitGroup
-	wg.Add(initialPeers) // One completion per initial peer
+	wg.Add(initialPeers + initialPeers*additionalPeers)

 	var syncClients []mgmtProto.ManagementService_SyncClient
 	for _, pk := range peers {
@@ -655,9 +643,6 @@ func TestSync10PeersGetUpdates(t *testing.T) {
 		syncClients = append(syncClients, s)

 		go func(pk wgtypes.Key, syncStream mgmtProto.ManagementService_SyncClient) {
-			pubKey := pk.PublicKey().String()
-			state := peerStates[pubKey]
-
 			for {
 				encMsg := &mgmtProto.EncryptedMessage{}
 				err := syncStream.RecvMsg(encMsg)
@@ -666,28 +651,19 @@ func TestSync10PeersGetUpdates(t *testing.T) {
 				}
 				decryptedBytes, decErr := encryption.Decrypt(encMsg.Body, ts.serverPubKey, pk)
 				if decErr != nil {
-					t.Errorf("failed to decrypt SyncResponse for peer %s: %v", pubKey, decErr)
+					t.Errorf("failed to decrypt SyncResponse for peer %s: %v", pk.PublicKey().String(), decErr)
 					return
 				}
 				resp := &mgmtProto.SyncResponse{}
 				umErr := pb.Unmarshal(decryptedBytes, resp)
 				if umErr != nil {
-					t.Errorf("failed to unmarshal SyncResponse for peer %s: %v", pubKey, umErr)
+					t.Errorf("failed to unmarshal SyncResponse for peer %s: %v", pk.PublicKey().String(), umErr)
 					return
 				}
-
-				// Track the maximum peer count seen (due to debouncing, updates are coalesced)
-				peerCount := len(resp.GetRemotePeers())
-				state.mu.Lock()
-				if peerCount > state.maxPeerCount {
-					state.maxPeerCount = peerCount
-				}
-				// Signal completion when this peer has seen all expected peers
-				if !state.done && state.maxPeerCount >= expectedPeerCount {
-					state.done = true
+				// We only count if there's a new peer update
+				if len(resp.GetRemotePeers()) > 0 {
 					wg.Done()
 				}
-				state.mu.Unlock()
 			}
 		}(pk, s)
 	}
@@ -701,30 +677,7 @@ func TestSync10PeersGetUpdates(t *testing.T) {
 		time.Sleep(time.Duration(n) * time.Millisecond)
 	}

-	// Wait for debouncer to flush final updates (debounce interval is 1000ms)
-	time.Sleep(1500 * time.Millisecond)
-
-	// Wait with timeout
-	done := make(chan struct{})
-	go func() {
-		wg.Wait()
-		close(done)
-	}()
-
-	select {
-	case <-done:
-		// Success - all peers received expected peer count
-	case <-time.After(5 * time.Second):
-		// Timeout - report which peers didn't receive all updates
-		t.Error("Timeout waiting for all peers to receive updates")
-		for pubKey, state := range peerStates {
-			state.mu.Lock()
-			if state.maxPeerCount < expectedPeerCount {
-				t.Errorf("Peer %s only saw %d peers, expected %d", pubKey, state.maxPeerCount, expectedPeerCount)
-			}
-			state.mu.Unlock()
-		}
-	}
+	wg.Wait()

 	for _, sc := range syncClients {
 		err := sc.CloseSend()
--- a/management/server/mock_server/account_mock.go
+++ b/management/server/mock_server/account_mock.go
@@ -12,7 +12,6 @@ import (
 	"google.golang.org/grpc/status"

 	nbdns "github.com/netbirdio/netbird/dns"
-	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
 	"github.com/netbirdio/netbird/management/server/account"
 	"github.com/netbirdio/netbird/management/server/activity"
 	"github.com/netbirdio/netbird/management/server/idp"
@@ -38,8 +37,8 @@ type MockAccountManager struct {
 	GetUserFromUserAuthFunc               func(ctx context.Context, userAuth auth.UserAuth) (*types.User, error)
 	ListUsersFunc                         func(ctx context.Context, accountID string) ([]*types.User, error)
 	GetPeersFunc                          func(ctx context.Context, accountID, userID, nameFilter, ipFilter string) ([]*nbpeer.Peer, error)
-	MarkPeerConnectedFunc                 func(ctx context.Context, peerKey string, connected bool, realIP net.IP, syncTime time.Time) error
-	SyncAndMarkPeerFunc                   func(ctx context.Context, accountID string, peerPubKey string, meta nbpeer.PeerSystemMeta, realIP net.IP, syncTime time.Time) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, int64, error)
+	MarkPeerConnectedFunc                 func(ctx context.Context, peerKey string, connected bool, realIP net.IP) error
+	SyncAndMarkPeerFunc                   func(ctx context.Context, accountID string, peerPubKey string, meta nbpeer.PeerSystemMeta, realIP net.IP) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, int64, error)
 	DeletePeerFunc                        func(ctx context.Context, accountID, peerKey, userID string) error
 	GetNetworkMapFunc                     func(ctx context.Context, peerKey string) (*types.NetworkMap, error)
 	GetPeerNetworkFunc                    func(ctx context.Context, peerKey string) (*types.Network, error)
@@ -148,10 +147,6 @@ type MockAccountManager struct {
 	DeleteUserInviteFunc       func(ctx context.Context, accountID, initiatorUserID, inviteID string) error
 }

-func (am *MockAccountManager) SetServiceManager(serviceManager reverseproxy.Manager) {
-	// Mock implementation - no-op
-}
-
 func (am *MockAccountManager) CreatePeerJob(ctx context.Context, accountID, peerID, userID string, job *types.Job) error {
 	if am.CreatePeerJobFunc != nil {
 		return am.CreatePeerJobFunc(ctx, accountID, peerID, userID, job)
@@ -219,15 +214,16 @@ func (am *MockAccountManager) DeleteSetupKey(ctx context.Context, accountID, use
 	return status.Errorf(codes.Unimplemented, "method DeleteSetupKey is not implemented")
 }

-func (am *MockAccountManager) SyncAndMarkPeer(ctx context.Context, accountID string, peerPubKey string, meta nbpeer.PeerSystemMeta, realIP net.IP, syncTime time.Time) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, int64, error) {
+func (am *MockAccountManager) SyncAndMarkPeer(ctx context.Context, accountID string, peerPubKey string, meta nbpeer.PeerSystemMeta, realIP net.IP) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, int64, error) {
 	if am.SyncAndMarkPeerFunc != nil {
-		return am.SyncAndMarkPeerFunc(ctx, accountID, peerPubKey, meta, realIP, syncTime)
+		return am.SyncAndMarkPeerFunc(ctx, accountID, peerPubKey, meta, realIP)
 	}
 	return nil, nil, nil, 0, status.Errorf(codes.Unimplemented, "method MarkPeerConnected is not implemented")
 }

-func (am *MockAccountManager) OnPeerDisconnected(_ context.Context, accountID string, peerPubKey string, streamStartTime time.Time) error {
-	return nil
+func (am *MockAccountManager) OnPeerDisconnected(_ context.Context, accountID string, peerPubKey string) error {
+	// TODO implement me
+	panic("implement me")
 }

 func (am *MockAccountManager) GetValidatedPeers(ctx context.Context, accountID string) (map[string]struct{}, map[string]string, error) {
@@ -327,9 +323,9 @@ func (am *MockAccountManager) GetAccountIDByUserID(ctx context.Context, userAuth
 }

 // MarkPeerConnected mock implementation of MarkPeerConnected from server.AccountManager interface
-func (am *MockAccountManager) MarkPeerConnected(ctx context.Context, peerKey string, connected bool, realIP net.IP, accountID string, syncTime time.Time) error {
+func (am *MockAccountManager) MarkPeerConnected(ctx context.Context, peerKey string, connected bool, realIP net.IP, accountID string) error {
 	if am.MarkPeerConnectedFunc != nil {
-		return am.MarkPeerConnectedFunc(ctx, peerKey, connected, realIP, syncTime)
+		return am.MarkPeerConnectedFunc(ctx, peerKey, connected, realIP)
 	}
 	return status.Errorf(codes.Unimplemented, "method MarkPeerConnected is not implemented")
 }
--- a/management/server/networks/resources/manager.go
+++ b/management/server/networks/resources/manager.go
@@ -5,9 +5,6 @@ import (
 	"errors"
 	"fmt"

-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
 	"github.com/netbirdio/netbird/management/server/account"
 	"github.com/netbirdio/netbird/management/server/activity"
 	"github.com/netbirdio/netbird/management/server/groups"
@@ -33,23 +30,21 @@ type Manager interface {
 }

 type managerImpl struct {
-	store               store.Store
-	permissionsManager  permissions.Manager
-	groupsManager       groups.Manager
-	accountManager      account.Manager
-	reverseProxyManager reverseproxy.Manager
+	store              store.Store
+	permissionsManager permissions.Manager
+	groupsManager      groups.Manager
+	accountManager     account.Manager
 }

 type mockManager struct {
 }

-func NewManager(store store.Store, permissionsManager permissions.Manager, groupsManager groups.Manager, accountManager account.Manager, reverseproxyManager reverseproxy.Manager) Manager {
+func NewManager(store store.Store, permissionsManager permissions.Manager, groupsManager groups.Manager, accountManager account.Manager) Manager {
 	return &managerImpl{
-		store:               store,
-		permissionsManager:  permissionsManager,
-		groupsManager:       groupsManager,
-		accountManager:      accountManager,
-		reverseProxyManager: reverseproxyManager,
+		store:              store,
+		permissionsManager: permissionsManager,
+		groupsManager:      groupsManager,
+		accountManager:     accountManager,
 	}
 }

@@ -262,14 +257,6 @@ func (m *managerImpl) UpdateResource(ctx context.Context, userID string, resourc
 		event()
 	}

-	// TODO: optimize to only reload reverse proxies that are affected by the resource update instead of all of them
-	go func() {
-		err := m.reverseProxyManager.ReloadAllServicesForAccount(ctx, resource.AccountID)
-		if err != nil {
-			log.WithContext(ctx).Warnf("failed to reload all proxies for account: %v", err)
-		}
-	}()
-
 	go m.accountManager.UpdateAccountPeers(ctx, resource.AccountID)

 	return resource, nil
@@ -322,14 +309,6 @@ func (m *managerImpl) DeleteResource(ctx context.Context, accountID, userID, net
 		return status.NewPermissionDeniedError()
 	}

-	serviceID, err := m.reverseProxyManager.GetServiceIDByTargetID(ctx, accountID, resourceID)
-	if err != nil {
-		return fmt.Errorf("failed to check if resource is used by service: %w", err)
-	}
-	if serviceID != "" {
-		return status.NewResourceInUseError(resourceID, serviceID)
-	}
-
 	var events []func()
 	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		events, err = m.DeleteResourceInTransaction(ctx, transaction, accountID, userID, networkID, resourceID)
--- a/management/server/peer.go
+++ b/management/server/peer.go
@@ -103,13 +103,11 @@ func (am *DefaultAccountManager) getUserAccessiblePeers(ctx context.Context, acc
 }

 // MarkPeerConnected marks peer as connected (true) or disconnected (false)
-// syncTime is used as the LastSeen timestamp and for stale request detection
-func (am *DefaultAccountManager) MarkPeerConnected(ctx context.Context, peerPubKey string, connected bool, realIP net.IP, accountID string, syncTime time.Time) error {
+func (am *DefaultAccountManager) MarkPeerConnected(ctx context.Context, peerPubKey string, connected bool, realIP net.IP, accountID string) error {
 	var peer *nbpeer.Peer
 	var settings *types.Settings
 	var expired bool
 	var err error
-	var skipped bool

 	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		peer, err = transaction.GetPeerByPeerPubKey(ctx, store.LockingStrengthUpdate, peerPubKey)
@@ -117,19 +115,9 @@ func (am *DefaultAccountManager) MarkPeerConnected(ctx context.Context, peerPubK
 			return err
 		}

-		if connected && !syncTime.After(peer.Status.LastSeen) {
-			log.WithContext(ctx).Tracef("peer %s has newer activity (lastSeen=%s >= syncTime=%s), skipping connect",
-				peer.ID, peer.Status.LastSeen.Format(time.RFC3339), syncTime.Format(time.RFC3339))
-			skipped = true
-			return nil
-		}
-
-		expired, err = updatePeerStatusAndLocation(ctx, am.geo, transaction, peer, connected, realIP, accountID, syncTime)
+		expired, err = updatePeerStatusAndLocation(ctx, am.geo, transaction, peer, connected, realIP, accountID)
 		return err
 	})
-	if skipped {
-		return nil
-	}
 	if err != nil {
 		return err
 	}
@@ -159,10 +147,10 @@ func (am *DefaultAccountManager) MarkPeerConnected(ctx context.Context, peerPubK
 	return nil
 }

-func updatePeerStatusAndLocation(ctx context.Context, geo geolocation.Geolocation, transaction store.Store, peer *nbpeer.Peer, connected bool, realIP net.IP, accountID string, syncTime time.Time) (bool, error) {
+func updatePeerStatusAndLocation(ctx context.Context, geo geolocation.Geolocation, transaction store.Store, peer *nbpeer.Peer, connected bool, realIP net.IP, accountID string) (bool, error) {
 	oldStatus := peer.Status.Copy()
 	newStatus := oldStatus
-	newStatus.LastSeen = syncTime
+	newStatus.LastSeen = time.Now().UTC()
 	newStatus.Connected = connected
 	// whenever peer got connected that means that it logged in successfully
 	if newStatus.Connected {
@@ -489,14 +477,6 @@ func (am *DefaultAccountManager) DeletePeer(ctx context.Context, accountID, peer
 	var settings *types.Settings
 	var eventsToStore []func()

-	serviceID, err := am.reverseProxyManager.GetServiceIDByTargetID(ctx, accountID, peerID)
-	if err != nil {
-		return fmt.Errorf("failed to check if resource is used by service: %w", err)
-	}
-	if serviceID != "" {
-		return status.NewPeerInUseError(peerID, serviceID)
-	}
-
 	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		peer, err = transaction.GetPeerByID(ctx, store.LockingStrengthNone, accountID, peerID)
 		if err != nil {
@@ -565,7 +545,7 @@ func (am *DefaultAccountManager) GetPeerNetwork(ctx context.Context, peerID stri
 // Each new Peer will be assigned a new next net.IP from the Account.Network and Account.Network.LastIP will be updated (IP's are not reused).
 // The peer property is just a placeholder for the Peer properties to pass further
 func (am *DefaultAccountManager) AddPeer(ctx context.Context, accountID, setupKey, userID string, peer *nbpeer.Peer, temporary bool) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, error) {
-	if setupKey == "" && userID == "" && !peer.ProxyMeta.Embedded {
+	if setupKey == "" && userID == "" {
 		// no auth method provided => reject access
 		return nil, nil, nil, status.Errorf(status.Unauthenticated, "no peer auth method provided, please use a setup key or interactive SSO login")
 	}
@@ -574,7 +554,6 @@ func (am *DefaultAccountManager) AddPeer(ctx context.Context, accountID, setupKe
 	hashedKey := sha256.Sum256([]byte(upperKey))
 	encodedHashedKey := b64.StdEncoding.EncodeToString(hashedKey[:])
 	addedByUser := len(userID) > 0
-	addedBySetupKey := len(setupKey) > 0

 	// This is a handling for the case when the same machine (with the same WireGuard pub key) tries to register twice.
 	// Such case is possible when AddPeer function takes long time to finish after AcquireWriteLockByUID (e.g., database is slow)
@@ -594,11 +573,10 @@ func (am *DefaultAccountManager) AddPeer(ctx context.Context, accountID, setupKe

 	var setupKeyID string
 	var setupKeyName string
+	var ephemeral bool
 	var groupsToAdd []string
 	var allowExtraDNSLabels bool
-	ephemeral := peer.Ephemeral
-	switch {
-	case addedByUser:
+	if addedByUser {
 		user, err := am.Store.GetUserByUserID(ctx, store.LockingStrengthNone, userID)
 		if err != nil {
 			return nil, nil, nil, status.Errorf(status.NotFound, "failed adding new peer: user not found")
@@ -621,7 +599,7 @@ func (am *DefaultAccountManager) AddPeer(ctx context.Context, accountID, setupKe
 		}
 		opEvent.InitiatorID = userID
 		opEvent.Activity = activity.PeerAddedByUser
-	case addedBySetupKey:
+	} else {
 		// Validate the setup key
 		sk, err := am.Store.GetSetupKeyBySecret(ctx, store.LockingStrengthNone, encodedHashedKey)
 		if err != nil {
@@ -644,12 +622,6 @@ func (am *DefaultAccountManager) AddPeer(ctx context.Context, accountID, setupKe
 		if !sk.AllowExtraDNSLabels && len(peer.ExtraDNSLabels) > 0 {
 			return nil, nil, nil, status.Errorf(status.PreconditionFailed, "couldn't add peer: setup key doesn't allow extra DNS labels")
 		}
-	default:
-		if peer.ProxyMeta.Embedded {
-			log.WithContext(ctx).Debugf("adding peer for proxy embedded, accountID: %s", accountID)
-		} else {
-			log.WithContext(ctx).Warnf("adding peer without setup key or userID, accountID: %s", accountID)
-		}
 	}
 	opEvent.AccountID = accountID

@@ -685,7 +657,6 @@ func (am *DefaultAccountManager) AddPeer(ctx context.Context, accountID, setupKe
 		CreatedAt:                   registrationTime,
 		LoginExpirationEnabled:      addedByUser && !temporary,
 		Ephemeral:                   ephemeral,
-		ProxyMeta:                   peer.ProxyMeta,
 		Location:                    peer.Location,
 		InactivityExpirationEnabled: addedByUser && !temporary,
 		ExtraDNSLabels:              peer.ExtraDNSLabels,
@@ -752,20 +723,17 @@ func (am *DefaultAccountManager) AddPeer(ctx context.Context, accountID, setupKe
 				}
 			}

-			if !peer.ProxyMeta.Embedded {
-				err = transaction.AddPeerToAllGroup(ctx, accountID, newPeer.ID)
-				if err != nil {
-					return fmt.Errorf("failed adding peer to All group: %w", err)
-				}
+			err = transaction.AddPeerToAllGroup(ctx, accountID, newPeer.ID)
+			if err != nil {
+				return fmt.Errorf("failed adding peer to All group: %w", err)
 			}

-			switch {
-			case addedByUser:
+			if addedByUser {
 				err := transaction.SaveUserLastLogin(ctx, accountID, userID, newPeer.GetLastLogin())
 				if err != nil {
 					log.WithContext(ctx).Debugf("failed to update user last login: %v", err)
 				}
-			case addedBySetupKey:
+			} else {
 				sk, err := transaction.GetSetupKeyBySecret(ctx, store.LockingStrengthUpdate, encodedHashedKey)
 				if err != nil {
 					return fmt.Errorf("failed to get setup key: %w", err)
--- a/management/server/peer/peer.go
+++ b/management/server/peer/peer.go
@@ -24,8 +24,6 @@ type Peer struct {
 	IP net.IP `gorm:"serializer:json"` // uniqueness index per accountID (check migrations)
 	// Meta is a Peer system meta data
 	Meta PeerSystemMeta `gorm:"embedded;embeddedPrefix:meta_"`
-	// ProxyMeta is metadata related to proxy peers
-	ProxyMeta ProxyMeta `gorm:"embedded;embeddedPrefix:proxy_meta_"`
 	// Name is peer's name (machine name)
 	Name string `gorm:"index"`
 	// DNSLabel is the parsed peer name for domain resolution. It is used to form an FQDN by appending the account's
@@ -50,7 +48,6 @@ type Peer struct {
 	CreatedAt time.Time
 	// Indicate ephemeral peer attribute
 	Ephemeral bool `gorm:"index"`
-
 	// Geo location based on connection IP
 	Location Location `gorm:"embedded;embeddedPrefix:location_"`

@@ -60,11 +57,6 @@ type Peer struct {
 	AllowExtraDNSLabels bool
 }

-type ProxyMeta struct {
-	Embedded bool   `gorm:"index"`
-	Cluster  string `gorm:"index"`
-}
-
 type PeerStatus struct { //nolint:revive
 	// LastSeen is the last time peer was connected to the management service
 	LastSeen time.Time
@@ -232,7 +224,6 @@ func (p *Peer) Copy() *Peer {
 		LastLogin:                   p.LastLogin,
 		CreatedAt:                   p.CreatedAt,
 		Ephemeral:                   p.Ephemeral,
-		ProxyMeta:                   p.ProxyMeta,
 		Location:                    p.Location,
 		InactivityExpirationEnabled: p.InactivityExpirationEnabled,
 		ExtraDNSLabels:              slices.Clone(p.ExtraDNSLabels),
--- a/Show More
+++ b/Show More